Apple and Google both have removed a malicious application from their mobile stores that uploads a user's contact list to a remote server.
The app, named "Find and Call," is believed to be the first malware to impact Apple's App Store, the discoverer of the threat Denis Maslennikov, senior malware analyst at Kaspersky Lab, said in a blog post.
It bills itself as an app that can help users organise their address book, but actually commits data hijacking and spews spam via text message and email to the contacts of victims.
Once a user installs the app, they are asked to register it by using an email address and cell phone number, Maslennikov wrote.
Afterward, they are asked if they'd like to locate their friends. If they agree, the data from their contact list is sent to a remote server. Then their contacts are hit with spam that requests they also download the app.
"It is worth mentioning that the 'from' field contains the user's cell phone number," he wrote. "In other words, people will receive an SMS spam message from a trusted source."
The apps, which have since been removed from both Google's and Apple's stores, garnered very negative feedback from users and appeared to only affect Russian users, Maslennikov said.
This marks the first time that a trojan has found its way into iOS App Store, he said.
It is just one of a bevy of suspicious programs that infiltrated Google Play, formerly known as the Android Market, because of the company's open developer model. Apple has more of a stringent certification process in place for its developers.
Neither Google or available were available for comment.