Find and Call - is it *really* the first malware in the iOS App Store?

Filed Under: Android, Apple, Data loss, iOS, Malware, Mobile, Privacy, SophosLabs, Spam

Find and CallWhen our friends at Kaspersky reported yesterday that they had found a malicious app in both the Android and iOS app stores, it was hardly a surprise that it made the headlines.

Although there have been plenty of reports of Android malware, attacks targeted towards iPhone and iPad users are much much rarer.

Indeed, the most significant incidents we have seen of iOS attacks (the Ikee and Duh worms) only affected poorly-secured jailbroken iPhones.

Clearly Apple's "rigorous" screening of apps before they're allowed in the App Store wasn't quite rigorous enough in the case of the "Find and Call" app, as it was able to slip through the net.

It's good to hear that Apple has now removed the app, so it is no longer available.

But I'm not sure I 100% agree with Kaspersky that it is malware.

It would probably be more accurate to say that the "Find and Call" app is "spammy" - as it leaks data all over the place in plain text via http (which means, of course, that the data could be intercepted and sniffed by someone wanting to snoop on you).

Once the contact details are uploaded from the affected smartphone there is some server-side code that sends each contact an SMS message with a link to the download location of the app.

In this way the app promotes itself to all of your contacts.

That's pretty ugly behaviour, as there are no previous warnings or explanations for the user.

Find and Call website

My guess is that the developers realised the value of collecting a lot of data (and they're in good company, after all. Let's not forget that data is Google's and Facebook's highest valued resource) and they thought of a perfect way to collect it.

And it's not as though "Find and Call" is a new company - it's website has been around for some time.

Find and Call WHOIS information

Perhaps they imagined that their data-collection technique was acceptable and legitimate. In some ways, the "Find and Call" app feels similar to the spammers who don't believe that sending spam is a bad thing as it's "just direct marketing after all".

Indeed, maybe the app's developers share some similar opinions to the likes of Mark Zuckerberg, and believe that users don't really care that much about privacy.

When I analysed the app's code I found a number of clues which made me think that this wasn't the typical smartphone malware:

  • 1. The apps have been created both for iPhone and Android phones, with identical names. If this was a truly malicious app why use the same name? As soon as one rogue app is discovered on one store, folks are bound to spot its cousin in the other.
  • 2. The apps are not skeleton apps, they actually contain quite a lot of functionality (which makes them somewhat more complicated to analyse). If the apps were purely intended for malicious purposes, there would seem little point creating the additional functionality. This wasn't a quick "snatch and grab".
  • 3. Websites with the domain have been setup and althought they appear a bit spammy they are not malicious.

Find and Call website

Nevertheless, the headlines mean that every anti-virus product will want to reassure customers that these apps are being properly detected - regardless of arguements as to whether they are truly malware or not.

Sophos has accordingly added detection of the Android variant as Andr/FndNCll-A and the iOS version as iPh/FndNCll-A.

Apple and Google have removed the "Find and Call" application from their respective App stores. Obviously it would have even better if the app's lax respect of users' privacy had been spotted in the first place, and they had never been allowed into those online stores.

, , , , , , , ,

You might like

10 Responses to Find and Call - is it *really* the first malware in the iOS App Store?

  1. Cliff · 1191 days ago

    .ru - that says it all.

  2. Robert Gracie · 1191 days ago

    .ru usually means spam from all the viagra spam they all go to .ru web pages...enough said there

  3. Clim · 1191 days ago

    For what we label an app as malicious or not? Functionality or purposes? Anyway, F&C app has bad attributes by both vectors. It _COVERTLY_ uploads Address Book from phone to remote server (by fact it’s a stealing) – functionality. Stolen Address Book is exploited to send spam – purpose. The fact that developers are not professional cybercriminals does not cancel that app’s turned out to be malicious.

  4. paul · 1191 days ago

    Please provide links and explanations of how to detect if one's i-device or Mac computer is infected-- and, if so, how to delete the infection.

    Without that, all you're doing is seeing FUD.

  5. RedRapper · 1190 days ago

    I wonder what negative impact this will have on other apps that have similar names. Hopefully apps like ReadAndCall (which is good) don't receive unwarranted negative reactions. Many developers work hard to produce good Apps and one bad "apple" can ruin countless hours of good work.

  6. Peter · 1190 days ago

    These "apps" are no more malware than facebook and zyngas app who snitches our contactsbooks from our smartphones without our permission nor aknowledge.. Why isn't these apps on the "bad list" ??

    • Henry · 1187 days ago

      The theory is that at least Facebook buys you dinner first. :-)

  7. disappointedinsophos · 1188 days ago

    Does Sophos remember what malware is? Even Norman got this!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.