Kaspersky researchers recently came across a malicious application called "Find and Call" in both the iOS App Store and Google Play. The app has since been removed from both stores.
"Malware in the Google Play is nothing new but it’s the first case that we’ve seen malware in the Apple App Store," writes Kaspersky researcher Denis Maslennikov. "It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch 5 years ago."
"Once installed, the app asks you to register your phone number and email address," writes PCWorld's Armando Rodriguez. "Find and Call will also ask if you want to 'find friends in a phone book' before discretely uploading your entire contact list to a remote server."
"Once the phonebook is exfiltrated to the server, SMS spam messages containing a link to a page where the free app can be downloaded are sent to all the contacts, inviting them to use it to reach the sender," writes Help Net Security's Zeljka Zorz.
"Besides stealing the phonebook, the shady app can also harvest GPS coordinates and upload them to the same remote location," writes Softpedia's Eduard Kovacs.
"Kaspersky acknowledges that Find and Call may not overtly brick someone's smartphone or steal money from users just yet -- the website for the app does ask users for their social networking logins and PayPal account passwords, though," writes Ars Technica's Jacqui Cheng. "The larger picture is that as both iOS and Android continue to grow in popularity, they will increasingly find themselves the targets of similar data-stealing attacks."