Yes your seeing straight, the iOS App Store was indeed infected with a Trojan masked as an app. The app was called “Find and Call,” but the only thing it did was upload your iOS device’s contacts to a server…
The app became available this morning on the App Store and Google Play store for Android. While there’s been plenty of malware floating around Android, this is the first time iOS has ever seen such a thing.
Upon installing the trojan app, it would upload your contacts to a server and then send an SMS with a download link for the app. It gets even worse. The SMS would be masked so your friends would get the impression that you sent it, making it highly likely for them to install the app.
There’s no word on where the contacts went or what will happen with the uploaded data, but rest assure it’s been removed from both App Stores.
I’m curious to know how something like this even slipped past Apple’s app review team. They have a very strict policy about accessing contacts on iOS devices. We learned this from the security breach with the Path app uploading contacts to their servers.
Maybe the App review team is too busy looking at pornography, as an ex-employee recently noted in an interview.
Did you get infected?
Source: Securelist via Macgasm