Researchers at the Georgia Institute of Technology were able to get a malicious app approved by Apple and into the App Store via a “Jekyll & Hyde” approach, where a benign app was remotely changed into a malicious app after it had been approved and installed.
It appeared to be a harmless app that Apple reviewers accepted into the iOS app store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled “Jekyll,” worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors …
The researchers presented their findings in a paper at the USENIX Security Forum.
Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.
An Apple spokesman says that changes have been made to iOS as a result of the researchers exploit, but did not specify if the changes were made to the current iOS 6, or Apple’s upcoming iOS 7 operating system.
The researchers say they left their app on the App Store for only a few minutes, and that it was not downloaded by anyone outside of the project.