Kaspersky Lab have spotted an app known as “Find and Call” in both the iPhone App Store and Google Play marketplace. The malicious app masquerades as a tool for simplifying contact lists but it instead uploads a user’s full contact list to a remote server and proceeds to send SMS and email spam to every person in the list.
Believe to be linked to a company based in Singapore, “Find and Call” will ask the user to sign in with an email address and cell phone number once it is downloaded.
In a blog post, Kaspersky points out that neither field is checked for validity before moving forward. The user is then asked if he or she wants to “find friends in a phone book”—if the user agrees, the app uploads the device’s address book data in the background without notifying the user or even indicating that anything is happening at all. Every single person in the contact list will receive the SMS spam, but it won’t look like spam from the receiver’s end.
For more in-depth analysis on “Find and Call” by Denis Maslennikov, Senior Malware Analyst, EEMEA, Global Research and Analysis Team and visuals, please visit this(link) page.
Kaspersky Lab said that it will continue to update on the development of “Find and Call” Trojan. The app has been removed from Apple Store/Google Play.