Researchers at Georgia Tech have used a specific technique to sneak malware onto Apple's heavily curated App Store. The team wrote an app, submitted it to the App Store, and won approval even though the app had significant malware because of the way the malware code was hidden within the app.
Code Gadgets & Jekyll
The researchers developed an app that purported to deliver news from their college, Georgia Tech. According to MIT Technology Review, the team broke malware-related code into snippets they called “code gadgets” that were then scattered throughout the app's overall code base.
As noted in the comments below, this technique isn't new. Self modifying code has been around for a while, but this is the first report of successfully using dynamically generated logic to disguise malware and get it through Apple's app approval process.
The way it works is this: the “code gadget” snippets did nothing in the few seconds the app was actively run during the app approval process. Apple has never revealed how it tests apps, but in the case of this app, the researchers were able to remotely monitor how long it ran, most likely by seeing how long data was pulled from the Georgia Tech servers. According to them, it was only a few seconds.
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Long Lu, a researcher at Stony Brook University who participated in the project, said.
Time Bomb
Once it was approved, the researchers installed the app on their own iOS devices and then immediately withdrew the app from the App Store before others could download it. Once it ran on their sacrificial test devices, the real evil in their technique commenced.
That's because those “code gadgets” began assembling themselves back into their full form, and that full form was designed to stealthily, “post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps.”
“The app did a phone-home when it was installed, asking for commands,” Mr. Long explained. “This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.”
With this in mind, you can see why the researchers called their malware “Jekyll.”
Ramifications
This kind of vulnerability isn't limited to iOS, and it's an issue that could affect all platforms. Marc Rogers, a principal researcher at mobile security firm Lookout told MIT Technology Review that, “all OSes are vulnerable to this kind of attack, whether mobile or otherwise.”
There are some mitigating aspects about this story. The first is that now that the group has presented its findings—which it did on Friday—the issue is above board and is something the broader security industry can think about and develop counter measures.
More importantly, an Apple spokesperson said that Apple has already made changes to the app approval process as a result of this paper, though he didn't specify what those changes are for obvious reasons.
[Update: Thanks in part to the comments below, this article was updated to more accurately explain what the researchers at Georgia Tech did and why it matters. – Bryan]
Bugs courtesy of and made with help from Shutterstock.