Researchers sneak 'Jekyll app' malware into App Store, exploit their own code

Researchers sneak 'Jekyll app' malware into App Store, exploit their own code

Tielei Wang and his team of researchers at Georgia Tech have discovered a method for getting malicious iOS apps past Apple's App Store review process. The team created a "Jekyll app" that seemed harmless at first, but after making it into the App Store and onto devices, is able to have its code rearranged in order to perform potentially malicious tasks.

Jekyll apps - likely named after the less malicious half of the classic Dr. Jekyll and Mr. Hyde pairing - are somewhat similar to previous work done by Charlie Miller. Miller's app had the end-result of being able to execute unsigned code on a user's device by exploiting a bug in iOS, which Apple has since fixed. Jekyll apps differ in that they don't rely on any particular bug in iOS at all. Instead, authors of a Jekyll app introduce intentional bugs into their own code. When Apple reviews the app its code and functionality will appear harmless. Once the app has been installed on a person's device, however, the app's vulnerabilities are exploited by the authors to create malicious control flows in the app's code, performing tasks that would normally cause an app to be rejected by Apple.

Wang's team submitted a proof-of-concept app to Apple and were able to get it approved through the normal App Store review process. Once published, the team downloaded the app onto their testing devices and were able to have the Jekyll app successfully carry out malicious activity like snapping photos, sending emails and text messages. They were even able kernel vulnerabilities. The team pulled their app immediately after, but the potential for other, similar apps to get onto the App Store remains.

Apple recently responded threats posed by fake malicious chargers by thanking the researchers and announcing a fix that will be available in iOS 7. Wang was also part of the research team that created the fake charger, but his findings with Jekyll apps could pose a greater risk to iOS and Apple. Mactans chargers require physical access to a device, while Jekyll apps, once in the App Store, could be exploited remotely on any device that installs them. Additionally, Jekyll apps don't rely on any particular bug which makes them difficult to stop, as Wang explained in an email to iMore:

It is not easy for Apple to detect or prevent Jekyll Apps, because it implies that Apple needs to detect or prevent intended bugs in third party apps.

The researchers have shared their findings with Apple, but it remains to be seen how Apple will address the problem. The full details of the teams' discoveries will be presented later this month at the USENIX Security Symposium.

Source: Georgia Tech News Room

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at POSSIBLE Mobile. Writes on about QA & security, and as @noir on Twitter about nothing in particular.

More Posts



← Previously

Spotify announces new 'Browse' feature, providing curated playlists for music discovery

Next up →

Apple tells developers most services will be restored this week

Reader comments

Researchers sneak 'Jekyll app' malware into App Store, exploit their own code


If the bug itself isn't revealed, there is no immediate problem. The malicious developer still has to figure out the the bug itself and how to execute the code through the bug. As a result, the malicious party still has to do a ton of legwork. It's still not great, but it's not the end of the world.

I'll wait for final analysis when we have more details, but it seems odd that they could overcome sandboxing without relying on any iOS bug.

What it probably means is they are just more clever at hiding those exploits, in which case what Apple should do is patch the system bugs that let them take photos etc so even well hidden exploits can't use them.