Find and Call – is it *really* the first malware in the iOS App Store?

Find and Call - iOS malware?

Find and CallWhen our friends at Kaspersky reported yesterday that they had found a malicious app in both the Android and iOS app stores, it was hardly a surprise that it made the headlines.

Although there have been plenty of reports of Android malware, attacks targeted towards iPhone and iPad users are much much rarer.

Indeed, the most significant incidents we have seen of iOS attacks (the Ikee and Duh worms) only affected poorly-secured jailbroken iPhones.

Clearly Apple’s “rigorous” screening of apps before they’re allowed in the App Store wasn’t quite rigorous enough in the case of the “Find and Call” app, as it was able to slip through the net.

It’s good to hear that Apple has now removed the app, so it is no longer available.

But I’m not sure I 100% agree with Kaspersky that it is malware.

It would probably be more accurate to say that the “Find and Call” app is “spammy” – as it leaks data all over the place in plain text via http (which means, of course, that the data could be intercepted and sniffed by someone wanting to snoop on you).

Once the contact details are uploaded from the affected smartphone there is some server-side code that sends each contact an SMS message with a link to the download location of the app.

In this way the app promotes itself to all of your contacts.

That’s pretty ugly behaviour, as there are no previous warnings or explanations for the user.

Find and Call website

My guess is that the developers realised the value of collecting a lot of data (and they’re in good company, after all. Let’s not forget that data is Google’s and Facebook’s highest valued resource) and they thought of a perfect way to collect it.

And it’s not as though “Find and Call” is a new company – it’s website has been around for some time.

Find and Call WHOIS information

Perhaps they imagined that their data-collection technique was acceptable and legitimate. In some ways, the “Find and Call” app feels similar to the spammers who don’t believe that sending spam is a bad thing as it’s “just direct marketing after all”.

Indeed, maybe the app’s developers share some similar opinions to the likes of Mark Zuckerberg, and believe that users don’t really care that much about privacy.

When I analysed the app’s code I found a number of clues which made me think that this wasn’t the typical smartphone malware:

  • 1. The apps have been created both for iPhone and Android phones, with identical names. If this was a truly malicious app why use the same name? As soon as one rogue app is discovered on one store, folks are bound to spot its cousin in the other.
  • 2. The apps are not skeleton apps, they actually contain quite a lot of functionality (which makes them somewhat more complicated to analyse). If the apps were purely intended for malicious purposes, there would seem little point creating the additional functionality. This wasn’t a quick “snatch and grab”.
  • 3. Websites with the domain have been setup and althought they appear a bit spammy they are not malicious.

Find and Call website

Nevertheless, the headlines mean that every anti-virus product will want to reassure customers that these apps are being properly detected – regardless of arguements as to whether they are truly malware or not.

Sophos has accordingly added detection of the Android variant as Andr/FndNCll-A and the iOS version as iPh/FndNCll-A.

Apple and Google have removed the “Find and Call” application from their respective App stores. Obviously it would have even better if the app’s lax respect of users’ privacy had been spotted in the first place, and they had never been allowed into those online stores.