Sophos Cloud Optix
When our friends at Kaspersky reported yesterday that they had found a malicious app in both the Android and iOS app stores, it was hardly a surprise that it made the headlines.
Although there have been plenty of reports of Android malware, attacks targeted towards iPhone and iPad users are much much rarer.
Indeed, the most significant incidents we have seen of iOS attacks (the Ikee and Duh worms) only affected poorly-secured jailbroken iPhones.
Clearly Apple’s “rigorous” screening of apps before they’re allowed in the App Store wasn’t quite rigorous enough in the case of the “Find and Call” app, as it was able to slip through the net.
It’s good to hear that Apple has now removed the app, so it is no longer available.
But I’m not sure I 100% agree with Kaspersky that it is malware.
It would probably be more accurate to say that the “Find and Call” app is “spammy” – as it leaks data all over the place in plain text via http (which means, of course, that the data could be intercepted and sniffed by someone wanting to snoop on you).
Once the contact details are uploaded from the affected smartphone there is some server-side code that sends each contact an SMS message with a link to the download location of the app.
In this way the app promotes itself to all of your contacts.
That’s pretty ugly behaviour, as there are no previous warnings or explanations for the user.
My guess is that the developers realised the value of collecting a lot of data (and they’re in good company, after all. Let’s not forget that data is Google’s and Facebook’s highest valued resource) and they thought of a perfect way to collect it.
And it’s not as though “Find and Call” is a new company – it’s website has been around for some time.
Perhaps they imagined that their data-collection technique was acceptable and legitimate. In some ways, the “Find and Call” app feels similar to the spammers who don’t believe that sending spam is a bad thing as it’s “just direct marketing after all”.
Indeed, maybe the app’s developers share some similar opinions to the likes of Mark Zuckerberg, and believe that users don’t really care that much about privacy.
When I analysed the app’s code I found a number of clues which made me think that this wasn’t the typical smartphone malware:
- 1. The apps have been created both for iPhone and Android phones, with identical names. If this was a truly malicious app why use the same name? As soon as one rogue app is discovered on one store, folks are bound to spot its cousin in the other.
- 2. The apps are not skeleton apps, they actually contain quite a lot of functionality (which makes them somewhat more complicated to analyse). If the apps were purely intended for malicious purposes, there would seem little point creating the additional functionality. This wasn’t a quick “snatch and grab”.
- 3. Websites with the domain findandcall.com have been setup and althought they appear a bit spammy they are not malicious.
Nevertheless, the headlines mean that every anti-virus product will want to reassure customers that these apps are being properly detected – regardless of arguements as to whether they are truly malware or not.
Sophos has accordingly added detection of the Android variant as Andr/FndNCll-A and the iOS version as iPh/FndNCll-A.
Apple and Google have removed the “Find and Call” application from their respective App stores. Obviously it would have even better if the app’s lax respect of users’ privacy had been spotted in the first place, and they had never been allowed into those online stores.
.ru – that says it all.
.ru usually means spam from all the viagra spam they all go to .ru web pages…enough said there
For what we label an app as malicious or not? Functionality or purposes? Anyway, F&C app has bad attributes by both vectors. It _COVERTLY_ uploads Address Book from phone to remote server (by fact it’s a stealing) – functionality. Stolen Address Book is exploited to send spam – purpose. The fact that developers are not professional cybercriminals does not cancel that app’s turned out to be malicious.
Please provide links and explanations of how to detect if one's i-device or Mac computer is infected– and, if so, how to delete the infection.
Without that, all you're doing is seeing FUD.
Invoke the reading skill, my brainless friend.
I wonder what negative impact this will have on other apps that have similar names. Hopefully apps like ReadAndCall (which is good) don't receive unwarranted negative reactions. Many developers work hard to produce good Apps and one bad "apple" can ruin countless hours of good work.
These “apps” are no more malware than facebook and zyngas app who snitches our contactsbooks from our smartphones without our permission nor aknowledge.. Why isn’t these apps on the “bad list” ??
The theory is that at least Facebook buys you dinner first. 🙂
Does Sophos remember what malware is? Even Norman got this!
We detect the apps as well. Read the article until the end. 🙂