[Infowarrior] - First Apple App Store malware found by Kaspersky

Richard Forno rforno at infowarrior.org
Fri Jul 6 18:18:08 CDT 2012 

First Apple App Store malware found by Kaspersky

Find and Call steals IOS users' phone book data and spams contacts with ads

http://www.theinquirer.net/inquirer/news/2189908/apple-app-store-malware-kaspersky

By Lee Bell
Fri Jul 06 2012, 16:12                 
THE FIRST EVER piece of malware has been discovered in Apple's App Store by Russian security firm Kaspersky.

The malicious app called Find and Call steals IOS users' phone book data and spams the contacts with advertisements.

Originally brought to Kaspersky's attention by a mobile carrier named Megafon, the app was also found in Google Play, but has since been removed from both Google's and Apple's app stores.

"At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself," Kaspersky senior malware analyst Denis Maslennikov said in a blog post on Thursday.

"However, our analysis of the IOS and Android versions of the same application showed that it's not an SMS worm but a Trojan that uploads a user's phonebook to a remote server."

Maslennikov said that this replication was done by the server, which sends each contact an SMS message with a link to the download location of the app.

"If a user launches this application he will be asked to register in the app using his email address and cell phone number (both fields won't be checked for validity)," Maslennikov said. If the user wants to 'find friends in a phone book' his phone book data will be secretly uploaded to remote server."

Those infected by the app will have their phone book entries spammed with SMS messages offering to click on the URL and download this 'Find and Call' application. If a contact follows the URL, it requests them to sign up to the web site, asking them to enter their social networking accounts, email accounts and even Paypal details to add money to the account.

Kaspersky explained that if a user tries to add some amount of money, they will notice that the malware transfers money to a company called 'LABWEALTH.COM PTE. LTD.'

"If you check their website, 'labwealth.com', you'll find a company based in Singapore named 'Wealth Creation Laboratory'. Yeah, right! This company, by the way, has really nice motto: 'Let's create together the world of plenty and prosperity!'" Maslennikov said.

However, senior technology consultant at Sophos, Graham Cluley said he didn't agree with Kaspersky's judgment that the finding was malware.

"It would probably be more accurate to say that the app is 'spammy' - as it leaks data all over the place in plain text over http, which means the data could be intercepted and sniffed," he said.

"It sounds like somebody realised the value of having a lot of data and they thought of a perfect way to collect it, and perhaps imagined that this technique is probably legit. Similar to some spammers not thinking that sending spam is a bad thing, 'It is just direct marketing after all'."

Cluley added that "Apple's rigorous screening of apps" wasn't quite rigorous enough when this one slipped through the net, but was pleased to hear that Apple haa removed the app so it's no longer available.

Regardless of whether the app has has been removed or not, the finding marks somewhat of a watershed moment for Apple, which, unlike Google, had remained unscathed by vulnerabilities in its app store. µ

Source: The Inquirer (http://s.tt/1h4ft)

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.

More information about the Infowarrior mailing list