Researchers show how to slip malware into Apple’s App Store

Apple’s App Store can seem like Fort Knox, as Apple reviews each and every app before making it live. This fastidious approach works, for the most part, but it isn’t a perfect process. MIT Technology Review reports that researchers from Georgia Tech recently managed to get a malware-infected app approved by Apple and placed in the App Store.
Dubbed Jekyll, but submitted to Apple as an app for Georgia Tech News, the app had the ability to transform itself over time. “The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” said Long Lu, who was part of the team that created the app.
According to Lu, they were able to tell that Apple ran that app for no more than a few seconds before approving it. This is because the app contained fragments of code, hidden beneath legitimate app operations, that pieced themselves together after running it. Apple didn’t run the app long enough for this to happen.
And Jekyll was hiding some pretty nasty malware. It could send e-mails and text messages, tweet, take photos, steal personal information and device ID numbers, and attack other apps, all without the user ever knowing. It even had a way to direct Apple’s Safari browser to a webpage filled with additional malware. Not the sort of thing you want on your phone or tablet.
Researched infected their own Apple devices by installing the app directly from the App Store, and withdrew the app immediately thereafter. It was only live for a few minutes, and no one other than the research team installed it during that time.
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu said.
The Georgia Tech team performed this experiment back in March, but didn’t reveal any of their findings until publishing a paper for the Usenix Security Symposium this week.
Apple spokesman Tom Neumayr told MIT Technology Review that Apple has already made changes to iOS in response to the researcher’s findings, but he wouldn’t comment on Apple’s process for reviewing apps, about which it has always been notoriously secretive.
So while you still have a far better chance of downloading malware onto an Android device, this goes to show that no mobile operating system can ever claim to be truly safe.
This post was updated at 9:19am to clarify that Neumayr’s comment was in response to MIT Technology Review.