Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Sneaky iOS (Malware?) Surfaces in App Store, Says Kaspersky

Apple’s closed model, while criticized by many, has kept iPhone and iPad users relatively safe from malware and other potentially malicious apps, especially when compared to Android users.

While some iOS apps have been called into question before over privacy concerns and aggressive advertising tactics, Kaspersky Lab researchers are saying they have discovered an iOS app that they are outright calling malware.

Apple’s closed model, while criticized by many, has kept iPhone and iPad users relatively safe from malware and other potentially malicious apps, especially when compared to Android users.

While some iOS apps have been called into question before over privacy concerns and aggressive advertising tactics, Kaspersky Lab researchers are saying they have discovered an iOS app that they are outright calling malware.

The app in question is “Find and Call,” an app that Kaspersky is classifying as malware based upon the fact that it grabs a users phonebook details (without first notifying the user) and sends spam SMS messages to all contacts, appearing to be initiated from the user. (A version of the app is also available for Android, but for this story we’ll focus on the iOS version)

Kaspersky said it was tipped off about the app when Russian mobile carrier MegaFon reached out about the suspicious app. After taking a first look into the app, Kasperky’s mobile security guru Denis Maslennikov said they believed it to be an SMS worm being spread by sending messages to contacts stored in the address book.

“However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server,” Maslennikov wrote in a blog post. “The ‘replication’ part is done by the server – SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.”

At first, one may think that while the features may raise privacy concerns, they may not necessarily be malicious, as many legitimate apps, for one reason or another, access and sometimes capture information from address books.

But this app is certainly malicious, Maslennikov says. Why? “Both apps upload user’s phone book to remote server and use it for SMS spam,” he said. 

Following Maslennikov’s blog post, he noted that AppleInsider.ru was able to connect with the author who sprung to its defense, saying in an English translation, “[The} system is in process of beta-testing. In result of failure of one of the components there is a spontaneous sending of inviting SMS messages. This bug is in process of fixing. SMS are sent by the system, that is why it won’t affect your mobile account.”

Advertisement. Scroll to continue reading.

The company appearing to be behind the app describes itself as follows: “Our company develops and introduces new innovational products in the sphere of the Internet and telephony. The project, on the web-site of which you are right now, has been started in 2006, and only in summer 2011 we have decided that it is good enough to bring it to beta-testing and to open it for first users.”

While the Find and Call app should certainly should raise red flags, it’s unclear to what extent the authors plan to use the harvested data, and if it would be used beyond the blatant spam attempts to promote its own products. In fact, many online web services and apps often trick users into blindly promoting products, often via a Twitter connection or auto-emailing to address books. 

Earlier this year, Symantec issued a warning on a set of Android apps that it said were a bot-like threat, but in reality were just using a third party ad service (Apperhand) that essentially made the apps adware, but not necessarily malware.

Will Find and Call really be marked as the first true malware to work its way into Apple’s official App Store? That’s a tough call. If the company adds a simple disclosure or approval step before sending out SMS promotions, would it still be classified as malware?

“Yes, these pieces of malware are not that ‘cybercriminalistic’,” Maslennikov opined. “But malware is malware and in this case it steals user’s phone book and uses it for SMS spam. And we’re sure that there must be strict and quick response to such incidents.”

Kaspersky Lab detects them as Trojan.AndroidOS.Fidall.a and Trojan.IphoneOS.Fidall.a.

At the time of publishing, FindAndCall is still available via Apple’s AppStore.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.