A Russian-language app called Find and Call, which was available in both the Apple App Store and Google Play, has been discovered to be the cause of the bug, Wired reported. Kasperksy antivirus experts were responsible for finding the culprit, which is essentially a Trojan that steals and uploads the user's address book to a remote server.
After the data is uploaded, the server spends spam to the email addresses and phone numbers belonging to the victim's contacts, advertising the Find and Call application. The app also steals the GPS coordinates of the victim's phone and uploads them to the server.
The app is described as one that simplifies one's contacts list, and it has been removed from the App Store and Google Play.
The Find and Call app has been removed from the App Store due to its unauthorized use of users' address book data, a violation of App Store guidelines, Apple spokesperson Trudy Muller told Wired.
The app does request permission to access the user's address book by asking if the user wants to find friends in a phone book. However, once permission is granted, the app swipes the contact information and sends spam, making it seem as if it is being sent by the user.
Russian iOS users are the only ones known to have been affected by the malware, but the app was open and available for anyone to download. The developer behind Find and Call has attributed the incident to a bug within the system, Wired reports.
System is in process of beta-testing, the developer said in an emailed statement to AppleInsider.ru. In result of failure of one of the components there is a spontaneous sending of inviting SMS messages. This bug is in process of fixing. SMS are sent by the system, that is why it won't affect your mobile account.
The app has earned one-star ratings and complaints from reviewers and requests for the app to be pulled. The incident illustrates a larger issue of privacy and security that comes with the growing number of available mobile apps. A recent move by authorities in China seeks to tighten regulations on apps that come with smartphones out of the box, according to ZDnet. The proposed legislation is said to help mature the market and make it more transparent.
The Ministry of Industry and Information Technology issued the memorandum on strengthening mobile intelligent terminal network access management on June 1. Proposed measures include banning manufacturers from shipping devices with apps that contain malicious code or collect or alter data without clearly notifying users.
Consumers will still have access to new phones and new technology, and, if anything, [these devices] will be more secure in downloading or purchasing applications so users do not have to worry about data security or unwanted charges, Ben Cavender, associate principal at China Market Research, said to ZDNet.
Last month, cloud-based application security testing firm Veracode Inc. outlined five ways developers can create more secure apps. This entails including security measures early in the development stages, identifying the security experts, engaging in further education, building a security program that can test all applications, and ensuring that patching is consistent.