9 Comments

Summary:

A group of researchers from Georgia Tech managed to get a malware-infected app into Apple’s App Store. Here’s how they did it.

App store logo

Apple’s App Store can seem like Fort Knox, as Apple reviews each and every app before making it live. This fastidious approach works, for the most part, but it isn’t a perfect process. MIT Technology Review reports that researchers from Georgia Tech recently managed to get a malware-infected app approved by Apple and placed in the App Store.

Dubbed Jekyll, but submitted to Apple as an app for Georgia Tech News, the app had the ability to transform itself over time. “The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” said Long Lu, who was part of the team that created the app.

According to Lu, they were able to tell that Apple ran that app for no more than a few seconds before approving it. This is because the app contained fragments of code, hidden beneath legitimate app operations, that pieced themselves together after running it. Apple didn’t run the app long enough for this to happen.

And Jekyll was hiding some pretty nasty malware. It could send e-mails and text messages, tweet, take photos, steal personal information and device ID numbers, and attack other apps, all without the user ever knowing. It even had a way to direct Apple’s Safari browser to a webpage filled with additional malware. Not the sort of thing you want on your phone or tablet.

Researched infected their own Apple devices by installing the app directly from the App Store, and withdrew the app immediately thereafter. It was only live for a few minutes, and no one other than the research team installed it during that time.

“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu said.

The Georgia Tech team performed this experiment back in March, but didn’t reveal any of their findings until publishing a paper for the Usenix Security Symposium this week.

Apple spokesman Tom Neumayr told MIT Technology Review that Apple has already made changes to iOS in response to the researcher’s findings, but he wouldn’t comment on Apple’s process for reviewing apps, about which it has always been notoriously secretive.

So while you still have a far better chance of downloading malware onto an Android device, this goes to show that no mobile operating system can ever claim to be truly safe.

This post was updated at 9:19am to clarify that Neumayr’s comment was in response to MIT Technology Review.

  1. Yyyyyyyy zzz zzz

    I hacked your comments by commenting an arbitrary amount of plain text.

    Share
  2. Now how did they get out of the sandbox!!

    Share
  3. wow. talk about lazy from apple! they need to run the programs thoroughly. I don’t trust app makers as it is.

    Share
  4. Nicholas Paredes Saturday, August 17, 2013

    And, this is exactly how to also insert a lot of tracking code. Apple is looking for data transmission, and if it finds it, your app is out of the market. Having an app achieve traction and find the financial incentive to blow that is obviously not common.

    Share
  5. Didn’t Charlie Miller do this very thing years ago? Nothing new then, move along.

    Share
  6. unbiased reader Saturday, August 17, 2013

    > So while you still have a far better chance of downloading malware onto an Android device

    Your article just proved this statement to be false, it should be retracted..

    Share
  7. If you try hard enough, you can defeat any security system.

    Share
  8. I think this is bound to happen any time you have a closed system. Opensource is like science in the fact of it having a “peer review” process. Closed source, especially apples style of closed source, will always have issues like this. It pretty much comes with the landscape.

    Share
    1. @Prestashop

      You couldn’t be more wrong. Both Android and Apple have to find the least common denominator. You have to assume your end user is stupid. Individuals that run opensource are not least common denominator users. Both Android and Apple have to moderate for the least common denominator and that is a good thing. If they didn’t do this it weakens the eco system for all users. It doesn’t matter if its Google Play or AppStore apps need to be vetted.

      You need to see the greater context. The main stream end user does not read gigaom. If Apple and Android only had users that read gigaom then a more open Google Play and AppStore could be possible. But let’s face it the average user believes any BS that is posted on facebook and any 419 scam

      Share

Comments have been disabled for this post