Google and Apple removed a mobile app named "Find and Call" from their respective app stores on Thursday following reports that it was stealing people's phone book data and using the information to spam their contacts.
The app had been available on Google Play since at least May 21 and on Apple's App Store since at least June 13. Those dates are when the app's Android and iOS versions were last updated, Denis Maslennikov, a senior malware analyst at security firm Kaspersky Lab, said Friday.
Security researchers from Kaspersky analyzed "Find and Call" and flagged it as malware after being notified about its suspicious behavior by MegaFon, one of the largest mobile carriers in Russia.
According to its developer's website, the app allegedly allows users to find and call other people without knowing their phone numbers, if those people associated their domain names, social networking handles, instant messaging IDs, or other similar contact information with a phone number in the "Find and Call" system.
Even though the "Find and Call" website has an English version, the Kaspersky researchers have only seen Russian-language versions of the app so far, Maslennikov said.
After installation, if users click on an option to find their friends, the app silently uploads their phone book data to the developer's server without asking for confirmation.
Other apps have been caught uploading user address books to remote servers without proper notification in the past. However, in this particular case, there is clear evidence that the data is being misused, Maslennikov said.
Once a user's phone book data is copied, their contacts will receive an SMS message advertising the "Find and Call" app. These messages are sent by the app's developer, but they are modified to appear as if they come from the user's phone number.
In addition, if a contact's email address is included in a stolen address book, that contact might also receive a spam email.
While malicious applications have been uploaded to Google Play before, this is probably the first time that malware has been found in Apple's App Store, Maslennikov said. Apple will probably be stricter from now on when reviewing applications that try to upload user phone books to remote servers, he said.
Google and Apple did not immediately return a request for comment. However, the malicious app was removed from their respective app stores.
"With Apple's ecosystem being so locked down, we have to rely on them to protect us and to ensure our data is secure and not exploited by developers," Armando Orozco, a senior mobile malware analyst at antivirus vendor Webroot, said via email. "Thus far they have done a good job; but there are additional steps they can take, like requiring developers to be more transparent when accessing users personal data."