Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety. Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light.
This wasn’t long enough for Apple to notice that an app that purported to offer news from Georgia Tech contained code fragments that later assembled themselves into a malicious digital creature. This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware.
“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” says Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, led by Tielei Wang, that wrote the Apple-fooling app.
The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says. During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.
Lu says that by monitoring the app, they could tell that Apple ran it for only a few seconds prior to releasing it. During the review, the malicious code had been decomposed into “code gadgets” that were hidden under the cover of legitimate app operations and could be stitched together after approval. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says (see “Clues Suggest Malware Is Moving from PCs to Mobile Devices”).
The paper was slated for a talk Friday at the Usenix conference in Washington, D.C. Tom Neumayr, an Apple spokesman, said the company made some changes to its iOS mobile operating system in response to issues identified in the paper. Neumayr would not comment on the app-review process.
Apple has sold well over 600 million devices that run iOS (iPhones, iPads, and iPod Touches), yet only a handful of malicious apps have been discovered. The new research shows that it’s possible that bad apps are lingering on Apple devices without having been detected, Lu says.
To know whether that is the case, the app-vetting process would have to include continuous monitoring of customers’ phones, says Marc Rogers, principal researcher at Lookout, a mobile security firm. He emphasized that “all OSes are vulnerable to this kind of attack, whether mobile or otherwise.”
Xuxian Jiang, a mobile security researcher at North Carolina State University who has investigated the security of Android devices and Google’s app store, Google Play, adds that the new research “simply reminds us that no app-vetting process will be perfect.”
This story was updated to clarify that during Apple’s test, the app was run for only a few seconds. This update also expanded the context of Neumayr’s comment.
A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?
Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.
A startup says it’s begun releasing particles into the atmosphere, in an effort to tweak the climate
Make Sunsets is already attempting to earn revenue for geoengineering, a move likely to provoke widespread criticism.
10 Breakthrough Technologies 2023
These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway
Weirdly, any recent work on The Line doesn’t show up on Google Maps. But we got the images anyway.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.