Researchers Sneak Malicious App into Apple’s App Store
Researchers from the Georgia Institute of Technology have found a way to bypass Apple’s mandatory review process, and have sneaked a malicious app into the App Store.
Ars Technica reports that computer scientists created an iOS app that acted like Dr. Jekyll and Mr. Hide: it preserved its harmless look while under the review process, but they were able to update it to carry out malicious actions such as stealthily sending tweets, emails, and text messages; stealing the handset’s ID numbers; taking photos; and even attacking other applications. Furthermore, the app was able to trigger mobile Safari to load booby-trapped websites.
The app, entitled “Jekyll,” works by taking the already signed binary code and rearranging it in such a way that enabled malicious behaviour.
“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process,” the researchers wrote in a paper titled Jekyll on iOS: When Benign Apps Become Evil. “Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”
“Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice,” the researchers wrote. “However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks.”
Although the app was active for only a couple of minutes in the App Store back in March and wasn’t downloaded by users, the question remains open as to whether the vulnerabilities have since been completely fixed.