Georgia Tech researchers sneak malicious app past Apple checks

Researchers claim to have found a way of hiding malicious code in apps from Apple’s app review and code-signing mechanisms

US researchers claim to have found a way of hiding malicious code in apps from Apple’s app review and code-signing mechanisms.

In a research paper, the researchers at the Georgia Institute of Technology say they have found a way that allows attackers to reliably hide malicious behaviour that would otherwise get their app rejected by the Apple review process.

As a proof of concept, the team submitted an app that appeared only to offer news from Georgia Tech, but also contained pieces of code that would later combine to form malware, according to US reports.

The hidden malware was designed to post tweets, send text messages, send email messages, take photos, steal personal information and attack other apps.

“The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code,” the research paper said.

The researchers explained that, because the new control flows do not exist during the app review process, such software – dubbed "Jekyll apps" can stay undetected when reviewed and easily obtain Apple’s approval.

“We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app,” the researchers said.

Read more about mobile security

The test showed that, despite running inside the iOS sandbox, a Jekyll app can perform many malicious tasks, they said.

The proof-of-concept app also included code that allowed the researchers to monitor Apple’s review process.

Results showed that the app had been tested only for “a few seconds” before it was allowed to go live on the iOS App Store.

The researchers removed their app from the App Store before it was installed by any consumers, but said their test showed the Apple review process is mostly doing a static analysis of the app. They said this was not sufficient because dynamically generated logic cannot be seen.

An Apple spokesman told AppleInsider that his company has reviewed the research, and that it had updated the iOS mobile operating system to address the issues raised by the Georgia Tech researchers.

But the Apple spokesman did not provide specific information about what changes were made, nor did he address the App Store review process itself, the website said.

The research paper concludes by calling for official support for runtime security monitoring mechanisms on iOS.

“Our design of Jekyll apps intends to motivate such mechanisms, which can protect iOS against advanced attacks and ensure that the app review practice and regulations receive their maximum efficacy,” the researchers said.

Read more on Endpoint security