Trojans being disguised as apps are nothing new. The newest on the block is called 'Find and Call,' which is being advertised as a virtual phone book that will help you keep a record of all the entries in your phone book so you can quickly access it when you need to.
The app was hosted on both Google Play and on the iTunes App Store. Security experts first pegged it as an SMS worm, but eventually discovered that it was a Trojan identified as Trojan.AndroidOS.Fidall.a and Trojan.IphoneOS.Fidall.a.
Researchers from Kaspersky Labs note that Find and Call's functionality is not limited to being a 'virual phone book.' After installation, the app asks users to key in their phone number and email address to begin using the app. Once the details are sent over, the app then proceeds to upload the entire contents of the user's phonebook to a remote server.
With a bevy of numbers to scam, the malicious app developers then proceed to send scam messages to the people on their lists.
Each phone book entry will receive SMS spam message offering to click on the URL and download this ‘Find and Call' application. It is worth mentioning that the ‘from' field contains the user's cell phone number. In other words, people will receive an SMS spam message from a trusted source.
-- Denis, Kaspersky Lab Expert
Things continue to get interesting. The company behind the app is called 'Wealth Creation Laboratory', which even has a website set up with the motto 'Let's create together the world of plenty and prosperity!' They've even set up a website for the Find and Call app that asks people for donations so they can continue making apps that scam users and steal people's information.
Uninstall the app if you already have it on your device, and spread the word to your friends and family before they make the same mistake of getting it for their own phones.