It's not malware unless it damages or impairs the phone. It doesn't do that, it's just a bit of spamming app.
This is why there's a remote kill in all app stores.
A mobile Trojan that secretly sends the phone's whereabouts and its address book to spammers has slipped into Apple's App Store and Google's Play marketplace. Called Find And Call, the malware includes a "find your friends" feature that uploads a user's phonebook contents to servers under the control of the application's …
So is it really malware? Sophos security doesn't agree: http://nakedsecurity.sophos.com/2012/07/06/find-call-ios-android-malware/. They prefer to call it a "spammy" app.
Path, Facebook and other apps were already found to read the contacts list, it's wasn't a problem before. Are those malware too? In this case the developer just went too far with the data and spammed the contacts.
I'm also sure this app would have to request location permission to read the GPS coordinates.
Does the app actually "Logs and uploads GPS coordinates"? Kapersky only say "Both apps are also able to upload user’s GPS coordinates to the same server but such ‘feature’ is not that new for both malicious and legal apps to be honest." Sounds like if it does, it's a one shot thing.
It's the spamming part that's the problem. Path were uploading the data but not doing anything weird with it, so no deception - just a little incompetence. As soon as it was pointed out to them that this probably wasn't what most users expected they deleted the data and updated the app to stop it.
I'm not familiar with the Facebook app - no idea.
This, by sending spam, is different and (for me at least) pushes it into the category of "malware".
The developer was doing all the SMS spam from his own server, after uploading the contacts. Neither Apple nor Google knew what the developer was doing with this data after it left the phone.
Users installed this app which explicitly says it's going to scan the phonebook to find friends, so they agreed to give the developer access to the phonebook. There's no way around this, the user wanted it. Add contact permissions on top like Android or iOS 6, the user will still say yes. That's why they installed the app!
The only remedy here is do to what they did, remove the app from the store as soon as the problem becomes known and shut down the developer's account, hopefully adding checks to make sure he doesn't return.
Maybe some of the affected users in Russia will want to report the developer to the police too.
The parent comment is exactly right - this isn't a technical problem at all, it is pure deception.
Unfortunately the technical access that such an app would require to legitimately to do what this app was advertised to do is exactly the same as was needed to carry out the spamming. There is nothing Apple or Google could do to prevent it, unless they were to stop any application from reading the user's contact database - which would mean that many legitimate applications would be impossible.
That the headline is about Apple and not Android, anyhoo the only real story here is that someone managed to do something bad with a completely legal use of the app permissions, I am not sure what people expect Apple or Google do, av wouldn't help, so the only way to stop this is to stop the whole ability for a phone to send/sync its contacts anywhere.
I guess el reg will hope to get lots of links from that bait
SMS spammers get their 'targets' from a variety of sources, including just making numbers up to see if they work. What you must not do is reply in any way, even to send 'STOP' back to them. If you do, then you will confirm that their spam has been read and they will multiply their efforts and also pass your number along to other spammers.
"Russian blog AppleInsider.ru got in touch with the developers of Find And Call via its tech support. The programmers claimed the SMS-sending feature (which has unsurprisingly drawn a number of complaints) was a bug"
I LOLed. It's a bug when you're found out, eh, Mark Zuckerburg?
Biting the hand that feeds IT © 1998–2019