An app known as “Find and Call” has been targeting users of both the iPhone App Store and Google’s Play market, say researchers at security firm Kaspersky Lab.
At first, it was thought to be an SMS worm spread through text messages, rather than via the app store, but it has since been diagnosed as a trojan.
The app, which claims to be a tool for aggregating contacts, secretly uploads all of a user’s contacts to a remote server and then sends text messages and email spam to every contact.
Those messages, written in Russian and first reported by Russian mobile carrier MegaFon, simply advertise the app and include a link to a download site.
But the malicious app, which bypassed Apple's security measures, is able to spoof the user’s number so that the spam messages appear to come from a trusted sender’s phone.
"Malware in the Google Play is nothing new but it’s the first case that we’ve seen malware in the Apple App Store," Kaspersky researcher Denis Maslennikov in a blog post.
Although it is not the first incident related to user’s personal data and its leakage, he said, it is the first confirmed case of malicious usage of such data.
Kaspersky contacted Google and Apple about the malware, and both have removed it from from their app stores, according to reports.
Maslennikov said payment to the app’s PayPal account link to a Singapore-based firm called Wealth Creation Laboratory. But director and co-founder Sergey Bogatyrev has denied any knowledge of the Find and Call app.
Analysts say that while the Find and Call app does not represent a real threat to iPhone users,it represents a rare chink in iOS’s armour.
In the five years since Apple set up its App Store, the only malicious apps have either been proof-of-concept experiments created by researchers or were targeted at jailbroken phones.