Researchers from the Georgia Institute of Technology have successfully found a way to sneak malicious iOS apps past Apple’s strict App Store review process that is designed to prevent such software from making its way onto our devices.
The technique used a seemingly innocent app called “Jekyll” that could be updated after approval to carry out harmful actions without triggering security alarms.
“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process,” the researchers wrote in a paper entitled “Jekyll on iOS: When Benign Apps Become Evil.”
“Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”
Ars Techina reports that Jekyll was only available to download for just a few minutes following its App Store approval back in March, and no one who was not involved in the experiment downloaded the app during that time. If they had have done, the app would have been able to send tweets, emails, and text messages from their device, take photos, and cause the built-in browser to visit malicious websites — all without detection.
“Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice,” the paper says. “However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks.”
Apple is yet to respond to the findings, but company spokesman Tom Neumayr told the MIT Review that changes have been made to the iOS operating system in response to the issues identified in the paper. It’s unclear at this point whether the vulnerabilities have been completely fixed, however.
- Via Ars Technica