14 DAY TRIAL // Researchers have found a way to upload a malicious program to Apple’s App Store. The malware was capable of stealing personal information, taking photos, and attacking other apps.
Tielei Wang and his team at Georgia Tech have developed the app which they called “Jekyll.” They performed their research back in March, but have presented their findings only now, during the Usenix conference in Washington, MIT’s Technology Review informs.
According to the experts, the app was live only for a few minutes and it wasn’t installed by anyone except them.
So how did they pull it off?
The app, apparently containing news from Georgia Tech, had pieces of code that assembled into a malicious program only after it was installed. The malicious code was disguised as legitimate app operations that could be stitched together once the software was approved by Apple.
“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” noted Long Lu, one of the members of the research team.
The experiment has demonstrated that Apple runs, at least some applications, only for a few seconds before allowing them to be uploaded to the App Store.
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu added.
Apple representatives say the company has made some changes to the way apps are reviewed in an effort to address the issues highlighted in the research paper. However, they refused to comment on how the app-reviewing process works.