Researchers Successfully Sneak Malware Through Apple’s App Review Process

redOrbit Staff & Wire Reports – Your Universe Online

iPad and iPhone users, beware: Apple’s mobile app review procedures might not be as good at detecting potentially malicious software as you might think, according to a group of Georgia Tech computer security researchers.

In a paper presented last week at the Usenix Security ’13 conference, authors Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee detail how they were able to sneak malware through the Cupertino, California tech giant’s screening process.

According to David Talbot of MIT Technology Review, the app containing the malicious software claimed to offer news from Georgia Tech. In reality, though, it contained dormant pieces of code that would later combine to form malware capable of posting tweets, sending texts or emails, taking pictures, stealing personal information and attacking other programs without the device owner’s knowledge.

The study authors dub these types of malware programs “Jekyll apps” because they keep their true nature hidden until they are installed on a person’s phone or tablet. Once they are on a user’s end device, they rearrange signed code to execute malicious control flows that were nonexistent during the actual software review process.

“We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app,” they wrote in their paper, Jekyll on iOS: When Benign Apps Become Evil. “The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.”

Furthermore, the Georgia Tech researchers included code on their Jekyll app that allowed them to monitor Apple’s review process. They discovered that the app had only been tested for “a few seconds” before it was allowed to go live on the iOS App Store. Lu told AppleInsider that the program was only accessible for a few minutes, and was not installed by any consumers before it was removed from the App Store as a safety precaution.

“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu explained.

“Apple takes justifiable pride in its iOS security regime. Though the company’s scrutiny of third-party apps often forces developers to do extra work to satisfy its rules, its oversight has keep malware at bay more effectively than the efforts by the company’s competitors,” added Information Week Editor-at-Large Thomas Claburn. “Nonetheless, iOS, like any operating system, has flaws that can be identified and exploited. While Apple tends to address such flaws quickly once it becomes aware of them, it can’t fix problems that it can’t identify.”

Apple spokesman Tom Neumayr told AppleInsider that his company has reviewed the research, and that they had already updated their mobile operating system to address the issues raised by the Georgia Tech researchers. He did not provide specific information about what changes were made, nor did he address the App Store review process itself, the website staff added.