A Russian-made "app" called "Find and Call" has become the first malware to appear in Apple's iOS app store since it was opened in 2007, according to researchers at Kaspersky Lab. The app transmits contact numbers in plain text to a server hosted in Singapore belonging to the malware's creators, which are subsequently used for sending SMS spam.
The malware – which was also made available for download in Google Play, Google's own app store for Android devices – was highlighted by Russian mobile telecoms carrier MegaFon, according to Denis Maslennikov, a researcher at Kaspersky Lab.
In a posting to Securelist.com, he wrote: "The app would take your address book and send it to a server. From there, the server would spam those in your address book with ads via text messages."
However, potential users could also have worked out from reviews of the app in both app stores that the app was abusive before downloading – users gave it one star out of five and criticised it for sending SMS spam.
Russian blog site, AppleInsider.ru, claimed to have tracked down the author of the app, who said that the spam issue was the result of an error in the code: "The system is in process of beta-testing. [As a result of] failure of one of the components there is a spontaneous sending of inviting SMS messages. This bug is in process of being fixed. SMS are sent by the system, that is why it won't affect your mobile account."
Maslennikov's conclusions are blunt: "The main issue here is user's privacy again. It's not the first time we have seen incidents related to users' personal data and its leakage. But it is the first time we have a confirmed case of malicious usage of such data.
"We're sure that both applications must be deleted from the official markets. Yes, these pieces of malware are not that ‘cybercriminalistic'. But malware is malware and in this case it steals the user's phone book and uses it for SMS spam. And we're sure that there must be strict and quick response to such incidents," concluded Maslennikov.