Researchers outwit Apple, plant malware in the App Store
'Jekyll' app assembles hidden attack code only after Apple's screened the software
Computerworld - A team of researchers from Georgia Tech has demonstrated how hackers can slip a malicious app by Apple's reviewers so that it's published to the App Store and ready for unsuspecting victims to download.
Led by Tielei Wang, a research scientist at Georgia Tech's school of computer science, the team created a "Jekyll" app -- named for the Robert Louis Stevenson novella, Strange Case of Dr. Jekyll and Mr. Hyde -- that posed as a benign news reader. Hidden inside the app, however, were code fragments, dubbed "gadgets," that self-assembled to create a proof-of-concept exploit only after the app was approved by Apple.
The assembled attack code was able to send tweets, email and texts without the user's knowledge, and could steal the iPhone's unique device ID, turn on the camera and take video, forward voice calls to other phones and connect with local Bluetooth devices. Because the reconfigured app also "phoned home" to a server operated by the researchers, they were able to download additional malware and compromise other apps on the smartphone, including the Safari browser.
What had seemed on the surface -- far below the surface for that matter -- to be a harmless Dr. Jekyll was silently transformed into an evil Mr. Hyde.
Those code gadgets -- and the app's true control flow and operation -- were disguised in such a way that it would be virtually impossible for Apple's current review methods to discover the app's real intent. "Even with a longer time [to analyze the app] they can't find that it's malicious," said Wang in an interview Monday.
Vulnerabilities, which the Jekyll app secretly planted in its code, are also nearly impossible to detect or stamp out, he said.
In fact, Wang and his team -- Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee, all of Georgia Tech -- sidestepped every major security technique baked into iOS, including sandboxing and code signing, as well as anti-exploit technologies like DEP (data execution prevention) and ASLR (address space layout randomization).
"For instance, the app can deliberately leak its memory layout information to the remote server so that ASLR is completely ineffective," the group wrote in the paper (download PDF) they presented Friday in Washington, D.C. at the USENIX Security Symposium. "Based on the memory layout information, attackers can launch attacks by reusing the [existing] code inside the app. As a result, DEP and code signing cannot prevent the exploit."
The Georgia Tech researchers built their Jekyll app and submitted it to Apple, which approved it seven days later. Once on the App Store, the team downloaded the app onto their own iPhones, told it to transform into a Mr. Hyde and ask for instructions from their server. After confirming that it worked as designed, they removed the app from the App Store.
No other users downloaded the app while it was available, Wang said.
Unlike Android, Apple's iOS has been remarkably free of malicious apps, due to the Cupertino, Calif. company's mandate that only apps from its App Store can be installed on an unmodified iPhone. Apple also conducts a review before approving an app, purportedly looking for malicious code or unsanctioned operations. It rejects those it believes are suspicious or that sport illegal functions.
- Timeline: How Apple's iOS gained enterprise cred
- China calls the iPhone and iOS 7 threats to national security
- Dev interest in OS X Yosemite is 4X what it was for Mavericks in '13
- The Pangu jailbreak for iOS could turn into a sinister attack
- Apple nails Health timing as fitness app usage soars
- Developer demos iPad split-screen in photos, video
- Microsoft should grab Apple's 'Handoff' for Office
- Developer discovers split screen in iOS 8 code
- Apple opens up iOS, struts Mac-iPhone-iPad integration
- iOS 8 split-screen hints at iPad's enterprise ambition
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts