Researchers tricked Apple into approving an app loaded with malware

Researchers tricked Apple into approving an app loaded with malware
Researchers at Georgia Tech managed to get an app approved by Apple and posted on the Apple App Store. But unlike other apps, this one was a ticking time bomb. Inside the app, researchers placed fragments of code that were programmed to come together and assemble itself into malware. The program, aptly code named Jekyll, could send emails, tweets and texts under the radar while at the same time it could grab a device's ID number, steal personal information, take pictures and attack other apps. And it could even send mobile Safari to a page containing even more malware. In other words, this app could have been an iPhone user's worst nightmare.

The good news is that the researchers quickly took down the listing after it was posted for just a few minutes back in March. No innocent iPhone installed the app. The Georgia Tech team, on the other hand, downloaded the program and infected their own device. The researchers were able to tell that Apple ran the program for only a few seconds before giving it a stamp of approval. Unless it ran the app for a longer period of time, Apple would never know about the malware because the bad code was hidden in separate small "code gadgets" hidden by a legitimate app. Once the app was approved, the code was designed to stitch together to form the troublesome malware that could wreak havoc on an iPhone.

Apple's review process is not doing enough to safeguard the App Store. That is the message that researchers are broadcasting following the ruse. Long Lu, a member of the research team says, "The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen." Lu adds that it is possible that some apps on the App Store are malware and have just not yet been detected.

source: MITTechnologyReview via GIGaom

FEATURED VIDEO

57 Comments

1. Kelley71

Posts: 105; Member since: Nov 26, 2012

Sane time?

2. gazmatic

Posts: 822; Member since: Sep 06, 2012

at least now the app store would be safer going ahead i dont think apple wants this kind of publicity hopefully

3. quadrazeus

Posts: 359; Member since: May 03, 2013

My cousin tricked Google into approving an app loaded with malware. And he's just 17, lol.

4. Sauce unregistered

I don't think anyone has to even 'trick' Google into getting malware onto the Play Store.

5. nerdylish

Posts: 51; Member since: Apr 13, 2013

Anybody can do that :P

9. maysider

Posts: 38; Member since: Aug 11, 2013

I can even rob you in the street= freedom With iOS you have fascism

10. PhoneArenaUser

Posts: 5498; Member since: Aug 05, 2011

You said that in defence of Apple? :D

51. quadrazeus

Posts: 359; Member since: May 03, 2013

No. :D

53. PhoneArenaUser

Posts: 5498; Member since: Aug 05, 2011

Common, you did that as tedkord says in his comment #26. :D

12. PapaSmurf

Posts: 10457; Member since: May 14, 2012

Now that I've realized this, why even mention the Play Store when this is a App Store article...?

13. Shatter

Posts: 2036; Member since: May 29, 2013

because IOS is said to have a lower chance of getting a virus and very few apps with it in the store while this proves that anybody can do it and get it past apple..

45. PapaSmurf

Posts: 10457; Member since: May 14, 2012

You did everything but answer my question.

26. tedkord

Posts: 17469; Member since: Jun 17, 2009

Because they have a deep seated psychological need to excuse Apple, so they try to divert attention by throwing out anything they can about the enemy. It's a time honored tactic employed by school children the world over.

40. PhoneArenaUser

Posts: 5498; Member since: Aug 05, 2011

100% to the target! :) +1

50. quadrazeus

Posts: 359; Member since: May 03, 2013

Freedom of speech. That's why.

11. androidfanboy

Posts: 162; Member since: Jun 24, 2013

Lol the apple fanboys are in denial haha

14. Googler

Posts: 813; Member since: Jun 10, 2013

Those who don't think they need defenses are the most defenseless of all. App that attacks other apps, who knows what havoc this thing could have done if a true hacker had unleashed it.

16. darkkjedii

Posts: 31612; Member since: Feb 05, 2011

Major damage

15. darkkjedii

Posts: 31612; Member since: Feb 05, 2011

I think the pentagon needs to hire these researchers, man they've got skillz. Apple hire these guys!!!

18. roscuthiii

Posts: 2383; Member since: Jul 18, 2010

Very clever implementation indeed... they're probably being sequestered by the NSA as we speak (well, technically type).

21. darkkjedii

Posts: 31612; Member since: Feb 05, 2011

Wouldn't surprise me. Big brothers always watching.

17. roscuthiii

Posts: 2383; Member since: Jul 18, 2010

There's not one thing Man can make that another can't break. All just a matter of time.

19. gazmatic

Posts: 822; Member since: Sep 06, 2012

well said

22. darkkjedii

Posts: 31612; Member since: Feb 05, 2011

So true

20. Taters

Posts: 6474; Member since: Jan 28, 2013

This is why Apple is one of the worst companies in the world. They cut costs on EVERYTHING, except lawsuits, including app testing when they have a 100 billion in the bank. How can the Apple fans not see that they are getting raped hard? Buying an Apple product is like going to the same restaurant and paying 20 bucks for a bowl of rice or instant noodles. Not only that, it is like not noticing that restaurant owner is swimming in money and not even inspecting the noodles before serving them. Then when asked by someone why they are paying $20 for a bowl of rice that costs cents and can be purchased elsewhere for $2 tops, they respond by it just works. I get full from that bowl of rice and it's simple. It's not cluttered with side dishes and stuff, you know, those things that add flavor to your meal. 0.o You guys are getting raped and they are laughing about ripping you off by swimming in their billions and only taking 20 seconds to inspect an app. Other companies that struggle to make a profit has an excuse, they can't afford to inspect more than 20 seconds. Apple can afford it easily and they still take all the short cuts they can get, more so than even poor companies. Wake up ifans.

23. Sauce unregistered

I understand how you feel because maybe you as an individual see it differently than the individuals who purchase products from Apple. These individuals do not care about spending that money on those products because 1) They have it and can throw it around. 2) They can afford it. 3) They budget to afford a product that they like. Individuals like yourself and I, and many others for example, are not like them so we turn to other items with a cheaper price. Then again, there are many phones just as expensive as Apple products, so it comes down to personal taste and choice. Open your eyes, there's a company and product for everyone. Apple happens not to be for you. Of course there are many other reasons that can be listed, but from reading your ignorance, this is what came off the top of my head.

24. darkkjedii

Posts: 31612; Member since: Feb 05, 2011

But the play store has lots of malware too. Being open source google regularly does not inspect apps before allowing them in. All companies are greedy, and money/power driven. Your post wasn't even necessary, cuz we already know how big business works. Apple, google, Samsung, and others practice it quite well. Build for low sell for high, can we say profit? Doesn't matter who's the greediest when they're all greedy, doesn't matter who profits the most when they all profit. Apple is google is Samsung. The worst companies though are cigarette, beer, food/soft drink ones. They package cancer, diabetes, heart disease, stroke, obesity, and other maladies. They sell them in the form of Pepsi, coke happy meals, and snickers. And you call apple one of the worst companies? Dude get real.

29. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

Just because Android is open source, does not mean the apps are. You can't take an app someone created and make tweaks to it, only the dev who wrote it can. Now the OS you can tweak or change to your hearts content, but if you fork the OS beyond what Google allows, you lose access to Google's services, including the Play Store. That's why many lower end Android models have their own app store, because they have altered the OS beyond what Google allows and lost access to the Play Store. If anything this is a good thing. Better the good guys finding this out than those who would use it to steal info, money, etc.

31. Shatter

Posts: 2036; Member since: May 29, 2013

Apple and Samsung give you radiation, food doesn't.

35. darkkjedii

Posts: 31612; Member since: Feb 05, 2011

No but tons of the foods we eat cause, cancer, obesity, gout, hypertension, diabetes etc. don't go there with me Shatter, keep it about tech. Health and fitness is my passion, I know my stuff...trust me on that.

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.