Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Pulls Russian SMS Spam App from App Store [Updated]

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,622
39,500



Earlier today, Russian security firm Kaspersky Lab reported that it had been alerted to an app available in both Apple's App Store and the Google Play store for Android that was quietly harvesting users' address book contacts and sending them to the developer's servers. The developer's systems were then sending text messages to those contacts advertising the application, with the "From" field being spoofed with the original user's mobile phone number.

find_and_call.jpg



The application, Find and Call, ended up primarily targeting Russian users due to its use of the Russian language in the app description, but the app was available in App Stores around the world. The report notes that while there have been previous incidents of personal information being transmitted inappropriately from App Store apps, this appears to be the first time that such information has been used in a malicious manner.
Malware in the Google Play is nothing new but it's the first case that we've seen malware in the Apple App Store. It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch 5 years ago. But the main issue here is user's privacy again. It's not for the first time when we see incidents related to user's personal data and its leakage. And it's for the first time when we have confirmed case of malicious usage of such data.
Click to expand...
In several updates to the original post, Kaspersky Lab notes that spam invites are also being sent via email. One user was also able to get in touch with the application's author, who claims that the behavior is a bug, although the explanation certainly appears to be suspect.

It now appears that Apple has removed Find and Call from the App Store, as links to the app in the U.S. and Russian App Stores show that it is unavailable. The app did exist for some time, however, as it debuted in the App Store on June 13.

Apple has been working to limit third-party apps' access to personal data, and will be rolling out enhanced permission requirements in iOS 6 to alert users when their data is being accessed.

Update: Apple has issued a statement to The Loop acknowledging that it has pulled the app.
"The Find & Call app has been removed from the App Store due to its unauthorized use of users' Address Book data, a violation of App Store guidelines," an Apple representative told The Loop.
Click to expand...

Article Link: Apple Pulls Russian SMS Spam App from App Store [Updated]
 
Article Link
https://www.macrumors.com/2012/07/05/apple-pulls-russian-sms-spam-app-from-app-store/
Richdmoore said:
I hope apple uses it's "kill switch" to delete this app from those phones that have already downloaded the app.
Click to expand...

In this case, thats a good idea. If all the app does is spam, spam, and spam, then kill it. Was this a free app? If not, they should take the money from the developer's account (if he has received it already) and return it to the people who downloaded this app.
 
By the current number of Apps available and the security flaws (or holes) in up to iOS 5.1.1, it was just a matter of time this would happen. I imagine it is pretty easy: You submit a clean version of an App and one of the updates contains the exploiting parts. I doubt that the functionality will be checked well enough that this would be rejected.

Bad news: someone gave an example what you can do with the current settings.

Good news: Companies like Kaspersky Labs know what to look for.
 
Richdmoore said:
I hope apple uses it's "kill switch" to delete this app from those phones that have already downloaded the app.
Click to expand...

Yeah. Although Apple never used the kill switch before, this would be a good case for it.

RoelJuun said:
The first question that pops up in my mind is; how got it in the app store in the first place.
Click to expand...

The developer probably wasn't spamming its users until it was approved.
 
ouimetnick said:
In this case, thats a good idea. If all the app does is spam, spam, and spam, then kill it. Was this a free app? If not, they should take the money from the developer's account (if he has received it already) and return it to the people who downloaded this app.
Click to expand...

I agree... This doesn't bode well for anyone :p
Here would be a great place to exercise the kill switch.
 
RoelJuun said:
The first question that pops up in my mind is; how got it in the app store in the first place.
Click to expand...

Oh how I would hate to be that Quality Assurance Tester that signed off and accidentally let this one slip by. Especially if this really is the first incident in five years, as the article states.

But thinking about it further, there are a lot of apps that access the entire address book. A game like Words with Friends can access the address book, they just are trusted to NOT spam. This app probably went through, and the developer is being a **** by spamming after the fact.
If that's the case, I don't know how this can be stopped during the approval process.

Unless it's easy to see when an app is uploading address books to an outside server..
So many questions..
 
Last edited:
MacRumors said:
One user was also able to get in touch with the application's author, who claims that the behavior is a bug, although the explanation certainly appears to be suspect.
Click to expand...

Yea, right: "I got all that contact info and didn't know what to do. So, I started to advertise my App to them impersonating you. That clearly was a bug!"

It's like the situation where the husband walks in on the pool boy and his wife: "Oh, I understand! She was changing, you were taking a leak and when you stumbled, you both tripped 10 feet and landed naked on top of each other in the bed. Time for you to accidently fall 20 times backwards into my kitchen knife! Surely no problem for someone that clumsy."
 
I've had iOS malware

Why are people acting like there hasn't been malware on the iPhone before? About two months ago, I had malware that quietly changed whatever phone number was the top of my Favorites list to a 1-800 number I didn't recognize. Delete that entry from my Favorites list, and two seconds later, whatever the new top number was on my Favorites changed to that 1-800 number. I ended up wiping and reinstalling iOS, and the problem went away.

This started up after I got a spam SMS message.

Anybody else seen this?
 
tubular said:
Why are people acting like there hasn't been malware on the iPhone before? About two months ago, I had malware that quietly changed whatever phone number was the top of my Favorites list to a 1-800 number I didn't recognize. Delete that entry from my Favorites list, and two seconds later, whatever the new top number was on my Favorites changed to that 1-800 number. I ended up wiping and reinstalling iOS, and the problem went away.

This started up after I got a spam SMS message.

Anybody else seen this?
Click to expand...

Do you have a JB phone?
 
Funny, I got some malware last week. All of a sudden this app wiped all of the email addresses in my address book, and replaced them with an @facebook.com email address.

Oh wait that was the official Facebook app and it's still up :p
 
phone not jailbroken

Mad-B-One said:
Do you have a JB phone?
Click to expand...

Nope. That's why I was very surprised to see this. And it's why I'm hoping that iOS 6 does indeed firewall away the contacts list, so that apps can't juggle the Favorites list like that.
 
RoelJuun said:
The first question that pops up in my mind is; how got it in the app store in the first place.
Click to expand...

The reviewers aren't all-knowing. For an app like this they could have observed the following without rejecting the app:
1. App accesses user's contacts (100% legitimate for an app of this nature)
2. App communicates to app developer's server (many, many apps do this for legitimate reasons.

It's not valid for an app to sends contact information to the app developer's server without user permission after an adequate and accurate disclosure. But of course the app could have sent that information in an encrypted form so that the app reviewers had no way to know that contacts were being sent or may have actually asked permission without revealing the intent to spam.

And, obviously, no spam was sent until after the app had been reviewed.
 
RoelJuun said:
The first question that pops up in my mind is; how got it in the app store in the first place.
Click to expand...

At this point, I am pretty much convinced that they are using artificial intelligence to approve apps. It was the approved "Microsoft Word 2012" that slipped into the App Store a couple weeks ago (and pulled later) that led me to this.
 
and there goes the myth that ios is safer then android. Nice job for QA department
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back