Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Jul13
    1:07 pm (UTC-7)   |    by

    Last week the news sites were full of headlines proclaiming that the “first iOS malware” had hit the iOS App Store. Just one problem with those headlines: they weren’t 100% accurate.

    The “Find and Call” app – the Android version of which we detect as ANDROIDOS_INFOLKFIDCAL.A, and the iOS version as IOS_INFOLKCONTACTS.A – has only one key feature. It sends the user’s address book to a remote server without the user’s explicit say-so. Simply put, that’s a clear violation of privacy and apps shouldn’t be doing it. Period. In this particular case, the people in the address book were spammed, but that was done by the remote server, not the “malware” itself.

    But there’s one problem. Legitimate apps have done exactly the same thing before. The social networking app Path was famously caught doing this earlier this year. Path came under tremendous fire for breaching user’s privacy so blatantly.

    This was enough of a concern for Apple that the iOS 6 beta explicitly requires user consent every time before an app can access/send a user’s contacts, calendars, reminders, or photos.

    The fact is that enough legitimate apps want access to user’s behavior that the practice of sending a user’s calendar information to a server isn’t instantly thought of as “bad” behavior anymore, because so many people let their apps do it. Unfortunately, the act of sending a user’s contact list has been “legitimized” by these apps, even if it remains, strictly speaking, odious behavior. In fact, “Find and Call” did explicitly ask for access to the user’s contact list:

    Users should ignore the exaggerated hype about this “first iOS malware” to think about what it really did – it gave an app (and, implicitly, the people behind that app) access to their contacts. Think about how many apps ask for similar permissions – usually in the guise of sharing with or finding your friends/contacts. This incident should serve as a wake-up call to users as to exactly who – and how often – they’re giving their information to.

    Apple deserves kudos for giving users the tools to help manage their personal information. Other mobile OS vendors should follow suit to provide all users with methods to protect their privacy.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Yinfeng Qiu

      I agree with you. That’s why I name it iOS_INFOLKContacts.A, instead of iOS_TROJ. After all, all it does is just leaking Contacts info to a remote server, which is quite “normal” in the Android world. It is the server who later sends spam SMSes and mails.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice