Remotely Assembled Malware Makes it Past Apple and onto the App Store

  • 16 August 2013
  • 4 replies
  • 3112 views

Userlevel 7
  • Retired Webrooter
  • 1581 replies
This story really makes you wonder how may malicious apps may already be on Apple's App Store.  Apple is very proud of its review process, which it claims prevents any malware from making into the store.  However, this exploit proves quite the opposite, and it also proved exactly how rigorous the Apple review process is.  And how rigorous is that?  Well, according to the researchers, Apple runs an app for a few seconds and then gives it a green light if it doesn't find any issues using a static form of analysis - in other words, it's not exactly a robust process.
 


 
From TechnologyReview.com:
Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety. Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light.
 
This wasn’t long enough for Apple to notice that an app that purported to offer news from Georgia Tech contained code fragments that later assembled themselves into a malicious digital creature. This malware, which the researchers dubbed Jekyll, could stealthily post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps. It even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware.

To be fair, this was a "proof-of-concept" attack.  It was carried out by researchers from Georgia Tech who only infected their own phones and then pulled the app down from the store themselves.  However, if these researchers figured it out, what's to stop anyone else with more malicious intentions of doing the same thing?
 
As of the time of the article's publication, Apple was refusing to comment on the app review process, though they did claim to have made some changes to the iOS operating system in response to the identified issues.

4 replies

Userlevel 7
Badge +6
Not that it ever was, but it's no longer appropriate to treat smartphone applications differently than PC applications.
 
Install only ones that have a track record and that you trust.
Userlevel 7
Proof of concept or not, the result is proof that it can be done.  If it can be done, it most likely has, or will be at some point.
 
Better get those iOS devices protected just like any other internet connected device!
Userlevel 7
Badge +56
@DavidP1970 wrote:
Proof of concept or not, the result is proof that it can be done.  If it can be done, it most likely has, or will be at some point.
 
Better get those iOS devices protected just like any other internet connected device!
I was thinking of the same thing as my Sister inlaw was asking about an Antivirus for Apple mobile devices yesterday so I pointed her to the Webroot SecureWeb Browser and showed her a few articles about why Apple will not let the iOS use AV's. I got her set up fine on her MacBook Pro and she loves how easy it was to install as I sent her the Video Tutorial for Mac Installation & the Online Helpfile.
 
Daniel

Userlevel 3
Badge +8
Just more proof positive that Apple products, in all iterations, are just as vulnerable as any Windows, Android, or other operating system. The vetting process for apps on cell phones is no more effective than any other process that requires human intervention. Unless they are completely disassembling the code and conducting a full review and test there will be risks and gaps to the process, and even that won't completely eliminate them. The challenge to overcome is the marketing hype that Apple has pumped out for years about being virus free and so much better than other systems in that regard. And they are repeating the behavior with their app store. And people buy it.
 
The greatest security risk out there is still the end user, and always will be. An end user will overcome every obstacle admins put in place with a single finger. 
"This app will access your IRS file - Allow?" Sure, Bob said this app is the most awesome thing ever, I gotta see it.
 
Welcome to the reality of having a computer in the palm of your hand - that stores confidential information, passwords, financial data and more. Hackers have a reason to get access to your phone, the same drivers that motivate them to get access to your laptop, PC, or server. These aren't your Grandma's cell phones any longer.
 
If a bot gets on enough phones, it could theoretically take out or bog down cell phone towers I would guess. Remote control your phone and call my friend overseas at astronomical prices? Certainly not unreasonable to think this may be possible.
 
I wonder if Apple vets the updates to Apps as closely as they vet the apps themselves?
 
Changes to the iOS operating system in response to issues? I haven't seen an update on my phone, 6.1.3 - 5 months old, and the story is a month old, am I missing something?
 
Wayne

Reply