Not even the iOS App Store‘s curation policy is invulnerable to accidentally letting in some malware, as evidenced by a new app, “Find and Call,” which invaded both the App Store and Google Play, but has now been booted from both stores.
The malware, first reported by security firm Kaspersky Labs, uploads an end user’s contact list to a remote server and uses that information to spam those contacts with text messages and emails, spoofing them to appear to come from the original user’s accounts.
The app has since been removed from both the iOS App Store and Google Play. Google Play was actually the first marketplace to remove the malware. Later, Apple sent the following statement to the media: “The Find & Call app has been removed from the App Store due to its unauthorized use of users’ Address Book data, a violation of App Store guidelines.”
Indeed, that was a rather unusually mild way of putting it.
The curated aspect of the App Store means that these sort of occurrences are few and far between. It doesn’t, however, mean that they can never occur. Last year, security researcher Charlie Miller discovered a way to slip unsigned code into an app that was approved for entry into the App Store.
While his app was a benign demonstration app, it still showed that nothing, not even the App Store curation process, is proof against all malware.
The “Find and Call” app, however, is believed to be the first live spamware to make it into the App Store.