Jekyll malware app reveals flaw in Apple’s App Store review process

app_store_icon.png

Apple’s strict app review process has safeguarded the App Store from malware, but a new paper from researchers at the Georgia Institute of Technology show that it’s possible to remotely execute hidden malicious code included in apps downloaded through the App Store.

The researchers call these “Jekyll” apps, which are similar to trojan programs, in that the “hacker” has control over both the app as well as the server it is connecting to. The exploit is fairly complicated, but the simplified flow of events is:

  • The attackers develop an iOS app with a server side component, which they control.
  • In addition to the normal code, the attackers also include malicious code, which make (undetectable) calls to private iOS APIs to gain access to sensitive personal information, which could then be uploaded to their servers.
  • While a normal app that includes such malicious code would get rejected in Apple’s review process, the attackers use a sophisticated technique to prevent such code from ever running during the normal course of execution of the app.
  • The app passes Apple’s review process and goes live on the App Store without ringing any alarms.
  • Now the app exploits a stack overflow (triggered by a response from the server) to change the execution sequence of instructions, so that the control reaches the hidden malicious code, and it gets executed.

The researches demoed malicious code that could automatically send tweets, record videos without user consent,  dial any number and so on.

The above explanation is a very simplified version of what actually goes, so if you’re interested in the details you can read the research paper (PDF link) published by the researchers.

In the paper, the researchers say that it would be very hard for Apple to effectively thwart such “Jekyll” apps on the App Store:

We argue that the task of making all apps in App Store vulnerability-free is not only theo- retically and practically difficult, but also quite infeasible to Apple from an economic perspective because such at- tempts will significantly complicate the review tasks, and therefore, prolong the app review and approval process that is already deemed low in throughput by third-party app developers.

Apple, on its part, says that it has made some modifications to iOS 7 which prevent the exploit from working. Its tight control over the App Store helps, too — the company can at any time pull offending apps and suspend developer accounts of those found guilty of exploiting these techniques. iOS, of course, still remains very secure with defensive measures like ASLR, sandboxing, and even these apps are ultimately limited by the fact that they don’t have root access to the OS and can’t run arbitrary, unsigned code.

Back in 2011, noted iOS hacker Charlie Miller had managed to exploit a flaw in iOS’ code signing mechanism, which allowed him to run arbitrary code sent from a server on an iPhone via an approved app on the App Store. More recently, Apple fixed a malicious charger hack, again discovered by researchers at the Georgia Institute of Technology, in iOS 7.

It remains to be seen how Apple responds to this new threat.

[Via MIT Technology Review]

  • Chrck

    While theoretically impossible to stop all such malware they don’t seem to be spending much time to actually check for it. Somewhere else it was quoted that Apple spent almost no time reviewing the app.

    • Matt Black

      They must spend a certain amount of time because so far they have prevented viruses and malware from the App Store. I don’t get why everyone’s always trying to bring Apple down!

      • Pacomacman

        Agreed, and if an app does slip through Apple are quick to remove it. Even if a hacker takes control of an iOS app it’s still extremely difficult to take down the OS, unlike other OS’s

        • user

          They spent almost no time reviewing the apps – there is an automated system that usually tests them.
          Even if they remove the app from the store that doesn’t help all the people who already installed it and are vulnerable until they reinstall the OS (if there device is not JB – else there is no way to be certain unless you skip the recovery from backup part).
          As for the iOS stability – don’t make me laugh … it have flaws as any other OS and it can be crashed as easily as any other, the difference is that it hides the fact from the user and thus leaves the wrong impression …

      • Chrck

        In the other article it said that apple spent a matter of minutes checking the app. They could do a little better than that in prevention. And saying that Apple should be a little more thorough is not trying to bring Apple down.

        • Matt Black

          Hey there. Sorry, I realised that my comment may come off as though I was having a dig at you. I wasn’t at all. I can see that you’re pro-apple. What I would say though RE the other article is it may not necessarily true. Again I wasn’t having a pop at you about bringing apple down, I meant most apple websites and news generically.

  • http://www.kizi800.com/ kizi

    Thanks for sharing.

  • Matt Black

    I guess if the developer ever did try to release or use a virus or malware through the App Store app Apple would remove the app and ban the developer from ever developing for Apple again.

    • user

      Like such a developer will give real info when registering or have trouble registering few accounts …

      • Matt Black

        Like we’ve already established, Apple seem to be doing a pretty good job as these apps don’t make it onto the App Store and if ever they do they’re removed almost instantaneously.