Skip to Content

Remotely Assembled Malware Blows Past Apple’s Screening Process

Research unmasks a weakness of Apple’s App Store: new apps apparently are run for only a few seconds before approval.
August 15, 2013

Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety. Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light.

Apple malware
Bad news: A screenshot of an app that purportedly offered only news from Georgia Tech but really was loaded with malware.

This wasn’t long enough for Apple to notice that an app that purported to offer news from Georgia Tech contained code fragments that later assembled themselves into a malicious digital creature. This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware.

 “The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” says Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, led by Tielei Wang, that wrote the Apple-fooling app.

The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says. During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.

Lu says that by monitoring the app, they could tell that Apple ran it for only a few seconds prior to releasing it. During the review, the malicious code had been decomposed into “code gadgets” that were hidden under the cover of legitimate app operations and could be stitched together after approval. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says (see “Clues Suggest Malware Is Moving from PCs to Mobile Devices”).

The paper was slated for a talk Friday at the Usenix conference in Washington, D.C. Tom Neumayr, an Apple spokesman, said the company made some changes to its iOS mobile operating system in response to issues identified in the paper. Neumayr would not comment on the app-review process.

Apple has sold well over 600 million devices that run iOS (iPhones, iPads, and iPod Touches), yet only a handful of malicious apps have been discovered. The new research shows that it’s possible that bad apps are lingering on Apple devices without having been detected, Lu says.

To know whether that is the case, the app-vetting process would have to include continuous monitoring of customers’ phones, says Marc Rogers, principal researcher at Lookout, a mobile security firm. He emphasized that “all OSes are vulnerable to this kind of attack, whether mobile or otherwise.”

Xuxian Jiang, a mobile security researcher at North Carolina State University who has investigated the security of Android devices and Google’s app store, Google Play, adds that the new research “simply reminds us that no app-vetting process will be perfect.”

This story was updated to clarify that during Apple’s test, the app was run for only a few seconds. This update also expanded the context of Neumayr’s comment.

Keep Reading

Most Popular

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

images created by Google Imagen
images created by Google Imagen

The dark secret behind those cute AI-generated animal images

Google Brain has revealed its own image-making AI, called Imagen. But don't expect to see anything that isn't wholesome.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.