Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety. Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light.
This wasn’t long enough for Apple to notice that an app that purported to offer news from Georgia Tech contained code fragments that later assembled themselves into a malicious digital creature. This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware.
“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” says Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, led by Tielei Wang, that wrote the Apple-fooling app.
The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says. During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.
Lu says that by monitoring the app, they could tell that Apple ran it for only a few seconds prior to releasing it. During the review, the malicious code had been decomposed into “code gadgets” that were hidden under the cover of legitimate app operations and could be stitched together after approval. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says (see “Clues Suggest Malware Is Moving from PCs to Mobile Devices”).
The paper was slated for a talk Friday at the Usenix conference in Washington, D.C. Tom Neumayr, an Apple spokesman, said the company made some changes to its iOS mobile operating system in response to issues identified in the paper. Neumayr would not comment on the app-review process.
Apple has sold well over 600 million devices that run iOS (iPhones, iPads, and iPod Touches), yet only a handful of malicious apps have been discovered. The new research shows that it’s possible that bad apps are lingering on Apple devices without having been detected, Lu says.
To know whether that is the case, the app-vetting process would have to include continuous monitoring of customers’ phones, says Marc Rogers, principal researcher at Lookout, a mobile security firm. He emphasized that “all OSes are vulnerable to this kind of attack, whether mobile or otherwise.”
Xuxian Jiang, a mobile security researcher at North Carolina State University who has investigated the security of Android devices and Google’s app store, Google Play, adds that the new research “simply reminds us that no app-vetting process will be perfect.”
This story was updated to clarify that during Apple’s test, the app was run for only a few seconds. This update also expanded the context of Neumayr’s comment.
How a Russian cyberwar in Ukraine could ripple out globally
Soldiers and tanks may care about national borders. Cyber doesn't.
Meet Altos Labs, Silicon Valley’s latest wild bet on living forever
Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.
A horrifying new AI app swaps women into porn videos with a click
Deepfake researchers have long feared the day this would arrive.
Meta’s new learning algorithm can teach AI to multi-task
The single technique for teaching neural networks multiple skills is a step towards general-purpose AI.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.