Early Thursday morning, Kaspersky posted a blog entry that details a new malicious app that has made it's way to both the Apple App Store and Google Play Store. The app's name is Find and Call, and it's the first time we've ever seen a malicious app make it into Apple's App Store.
Once installed, the app asks you to register your phone number and email address. Find and Call will also ask if you want to "find friends in a phone book" before discretely uploading your entire contact list to a remote server. The app will continue to upload your contacts, and will SMS messages to those people that contain a link to download the app themselves. These SMS messages show up as if they were sent from your number, so the recipients are much more likely to click on the link.
Find and Call appears to have been pulled from the Google Play Store, though it's still live on the App Store as of this writing. Kaspersky was tipped off to the existence of the app by Russian mobile carrier MegaFon via Twitter, and the app appears to be getting blasted in its reviews as being a virus, according to Google Translate.
While malware in the Play Store isn't anything new, it's concerning to see such an app make it into Apple's walled-garden. This raises questions as to how an app like Find and Call made it into the App Store in the first place, and what other dangerous apps have managed to slip past Apple's screeners. Hopefully this was just a fluke, but in the mean time remember that if an app looks suspicious--even if it's in the App Store--it's best to play it safe and not download it.