Skip to main content

Security researchers sneak malware past Apple’s App Store review using ‘Jekyll & Hyde’ approach

Researchers from the Georgia Institute of Technology managed to get a malicious app approved by Apple and included in the App Store by using a ‘Jekyll & Hyde’ approach, where the behaviour of a benign app was remotely changed after it had been approved and installed.

It appeared to be a harmless app that Apple reviewers accepted into the iOS app store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled “Jekyll,” worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors … 

The researchers presented their findings in a paper at the USENIX Security Forum.

Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.

An Apple spokesman told MIT Review that changes have been made to iOS as a result of the exploit, but it’s not yet clear whether the change is to iOS 7 or the older iOS 5 and 6 versions attacked. The researchers only left their app in the store for a few minutes and said that it was not downloaded by anyone outside the project in that time.

Apple Senior Vice President Phil Schiller tweeted back in March about a study revealing the rising incidences of malware on Android. The study showed that Android accounted for 79 percent of all mobile malware in 2012, while iOS came in at less than 1 percent.

Via arsTechnica

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Leonardo Vida - 11 years ago

    “but it’s not yet clear whether this is to iOS 6 or 7”
    It’s clear this is both iOS 5.x and 6.x (page 3 on the research), but the affected version depends on the attack type!

    • Ben Lovejoy - 11 years ago

      I’ve clarified the wording: it’s not yet clear whether Apple has addressed the vulnerability in iOS 7, or created fixes for 5 and 6.

  2. Interesting research, but even when Apple approves the malicious app, they would know who submitted it, and I’m sure the FBI will be knocking on the developer’s door in no time,
    This is why Apple is so strict and careful with the Developer Program registration.

  3. diablo2211 - 11 years ago

    Hmm, how about thank you for pointing it out?

  4. Everyone involved in this project should have their Apple developer credentials pulled for life.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear