Phonebook-Stealing Trojan Found on Apple App Store and Google Play (Updated)

A suspicious application hosted both on Apple’s App Store and on Google Play has caught the attention of security researchers. Initially they believed it was a SMS worm, but after further analysis they discovered that it was actually a Trojan designed to steal phonebooks.

The rogue app, called Find and Call (Trojan.AndroidOS.Fidall.a / Trojan.IphoneOS.Fidall.a), appears to be a virtual phone book, but its functionality extends to far more than just finding friends and calling them, Kaspersky experts report.

After it’s installed, the program requests the user to register by providing his/her phone number and email address. Once this step is completed, when the victim wants to actually utilize the app, all his/her contacts are secretly uploaded to a remote server.

Besides stealing the phonebook, the shady app can also harvest GPS coordinates and upload them to the same remote location.

However, it gets worse. The malicious element not only steals the information, but it also sends spam SMS messages to all the individuals in the victim’s contact list.

The company that created the app has even a website, but just like the software, it’s also filled with traps.

It attempts to trick users into entering the credentials to their email, social media and PayPal accounts. If you’re guessing that they need the PayPal account to steal money, you are right.

The “donations” that can be made via PayPal go to a company called Labwealth.com PTE. LTD. from Singapore, a shady “Wealth Creation Laboratory.”

By the looks of it, the organization’s owners are experts in creating wealth for themselves.

Both Apple and Google have been warned about the presence of this application, but so far they haven’t responded to Kaspersky’s notifications.

On the other hand, experts believe that the owners of application markets should ensure that malware hidden within the applications they host can be easily reported and removed as quickly as possible.

Update. Both Google and Apple have removed the app from their websites. In an interesting turn of events, Find and Call's creators have contacted AppInsider.ru and told them that the app is still in "beta-testing." The fact that SMSs are sent out to all the contacts is allegedly just a bug.

However, there are still a number of clues which show that the application may be malicious.