Researchers sneak 'Jekyll app' malware into App Store, exploit their own code

Tielei Wang and his team of researchers at Georgia Tech have discovered a method for getting malicious iOS apps past Apple's App Store review process. The team created a "Jekyll app" that seemed harmless at first, but after making it into the App Store and onto devices, is able to have its code rearranged in order to perform potentially malicious tasks.

Jekyll apps - likely named after the less malicious half of the classic Dr. Jekyll and Mr. Hyde pairing - are somewhat similar to previous work done by Charlie Miller. Miller's app had the end-result of being able to execute unsigned code on a user's device by exploiting a bug in iOS, which Apple has since fixed. Jekyll apps differ in that they don't rely on any particular bug in iOS at all. Instead, authors of a Jekyll app introduce intentional bugs into their own code. When Apple reviews the app its code and functionality will appear harmless. Once the app has been installed on a person's device, however, the app's vulnerabilities are exploited by the authors to create malicious control flows in the app's code, performing tasks that would normally cause an app to be rejected by Apple.

Wang's team submitted a proof-of-concept app to Apple and were able to get it approved through the normal App Store review process. Once published, the team downloaded the app onto their testing devices and were able to have the Jekyll app successfully carry out malicious activity like snapping photos, sending emails and text messages. They were even able kernel vulnerabilities. The team pulled their app immediately after, but the potential for other, similar apps to get onto the App Store remains.

Apple recently responded threats posed by fake malicious chargers by thanking the researchers and announcing a fix that will be available in iOS 7. Wang was also part of the research team that created the fake charger, but his findings with Jekyll apps could pose a greater risk to iOS and Apple. Mactans chargers require physical access to a device, while Jekyll apps, once in the App Store, could be exploited remotely on any device that installs them. Additionally, Jekyll apps don't rely on any particular bug which makes them difficult to stop, as Wang explained in an email to iMore:

It is not easy for Apple to detect or prevent Jekyll Apps, because it implies that Apple needs to detect or prevent intended bugs in third party apps.

The researchers have shared their findings with Apple, but it remains to be seen how Apple will address the problem. The full details of the teams' discoveries will be presented later this month at the USENIX Security Symposium.

Source: Georgia Tech News Room

Nick Arnott