Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety. Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light.
This wasn’t long enough for Apple to notice that an app that purported to offer news from Georgia Tech contained code fragments that later assembled themselves into a malicious digital creature. This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware.
“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” says Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, led by Tielei Wang, that wrote the Apple-fooling app.
The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says. During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.
Lu says that by monitoring the app, they could tell that Apple ran it for only a few seconds prior to releasing it. During the review, the malicious code had been decomposed into “code gadgets” that were hidden under the cover of legitimate app operations and could be stitched together after approval. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says (see “Clues Suggest Malware Is Moving from PCs to Mobile Devices”).
The paper was slated for a talk Friday at the Usenix conference in Washington, D.C. Tom Neumayr, an Apple spokesman, said the company made some changes to its iOS mobile operating system in response to issues identified in the paper. Neumayr would not comment on the app-review process.
Apple has sold well over 600 million devices that run iOS (iPhones, iPads, and iPod Touches), yet only a handful of malicious apps have been discovered. The new research shows that it’s possible that bad apps are lingering on Apple devices without having been detected, Lu says.
To know whether that is the case, the app-vetting process would have to include continuous monitoring of customers’ phones, says Marc Rogers, principal researcher at Lookout, a mobile security firm. He emphasized that “all OSes are vulnerable to this kind of attack, whether mobile or otherwise.”
Xuxian Jiang, a mobile security researcher at North Carolina State University who has investigated the security of Android devices and Google’s app store, Google Play, adds that the new research “simply reminds us that no app-vetting process will be perfect.”
This story was updated to clarify that during Apple’s test, the app was run for only a few seconds. This update also expanded the context of Neumayr’s comment.