Apple and Google removed the "Find and Call" app from their stores after it harvested users' phone books and sent unsolicited texts.
Kaspersky Lab said today that Find and Call was first believed to be an SMS worm, but turned out to be a Trojan. The app required a phone number and email registration, providing access to the phone's contact list, and sent text messages to friends and family with a link to Find and Call.
The hacked user's name appeared in all spam messages, leading recipients to believe the text, and the embedded link, was from a trusted source.
Both versions of the app also uploaded users' GPS coordinates to a remote server, Kaspersky Lab reported. Users could voluntarily enter account information for social networks, email, and even PayPal, to add money to an account.
Russian blog AppleInsider.ru connected with the app's author, who said the app is still in beta and blamed a "failure of one of the components" for the spam. "This bug is in process of fixing," the app author said via a translated email.
Since Tuesday, a number of updates have led to immediate crashes upon launch, according to Instapaper and GoodReader developers, two of the many applications affected by Apple's tainted updates. Apple is reportedly working on a fix.
"It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch [five] years ago," Kaspersky Lab said.