Malicious apps smuggled into Apple app store
SAN FRANCISCO - Computer scientists in the United States claim to have discovered a way to slip malware into Apple’s app store without being detected by the mandatory review process.
Researchers at the Georgia Institute of Technology have published a paper on what they call “Jekyll apps”, which have the outward appearance of being benign but contain vulnerabilities that allow them to be exploited remotely.
In their investigation, the team, led by Tielei Wang, developed a proof-of-concept Jekyll app and successfully published it to the Apple app store. The app worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviours.
“The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code,” the researchers state in their paper.
“Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”
Once their Jekyll app had been accepted to the app store, the researchers were able to remotely launch attacks on a controlled group of devices that had installed the app, the Daily Telegraph reported.
Despite running inside the iOS sandbox, the app was able to perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.
“Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice. However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks.”
In the paper, the researchers set out possible counter-measures that Apple could take to mitigate this threat. In particular, they recommend introducing more advanced runtime monitoring mechanisms that can limit Jekyll apps’ capability to perform malicious applications.
Apple spokesman Tom Neumayr told MIT Technology Review that developers have made changes to the iOS operating system in response to issues identified in the paper. However, it remains unclear if the vulnerabilities have been completely fixed.
iOS is not the only mobile phone platform vulnerable to this type of attack. Earlier this month, researchers from antivirus provider Trend Micro discovered an exploit that allows hackers to inject malicious code into legitimate Android apps without invalidating their digital signature. AGENCIES