“Dr Jekyll” apps can sneak into App Store by hiding their dark side, researchers claim

Apps with a hidden “dark side” could sneak past Apple’s approval process, according to researchers at Georgia Tech. The researchers proved this theory using a malicious app which was approved and downloaded via App Store in March this year.

So-called “Jekyll” apps can hide malicious behaviour which would fall foul of Apple’s review process, said the five-person team led by research scientist Tielei Wang. Wang’s team were able to publish an app via Apple’s App Store, then use it on iOS devices to perform malicious tasks such as taking photos, sending emails and SMS without the user’s consent and exploiting kernel vulnerabilities.

The research was presented at the USENIX Security Symposium in Washington this month, and published online under the title Jekyll on iOS: When Benign Apps Become Evil.

“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process,” Wang’s team said. “The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”

“We implemented a proof-of-concept Jekyll app and successfully published it in App Store. We remotely launched the attacks on a controlled group of devices that installed the app. The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.”

An Apple spokesperson said that patches since March 2013 had addressed some of the issues raised by Wang’s research.

“The idea of hiding vulnerabilities and later exploiting them is not easy to fix by Apple. It’s a fundamental issue for Apple. Most likely Apple can use better sandbox policies to refine what we can do. But 6.1.3 doesn’t fix them,” Tielei Wang said in an interview with The Guardian.

Wang’s team worked alongside the Georgia Tech researchers who created a prototype “malicious charger” which could infect iPhones with malware in under a minute.

“Apple utilizes a mandatory app review process to ensure that only approved apps can run on iOS devices, which allows users to feel safe when using any iOS app,” said Georgia Tech Associate Director Paul Royal. “However, we have discovered two weaknesses that allow circumvention of Apple’s security measures.”

“We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices,” said Wang. “Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps — all without the user’s knowledge.”

“These results are concerning and challenge previous assumptions of iOS device security,” said Royal. “However, we’re pleased that Apple has responded to some of these weaknesses and hope that they will address our other concerns in future updates.”

Author , We Live Security

  • Mark Stanislav

    This is similar to the Android research that Jon Oberheide and Charlie Miller did last year against Google’s Bouncer platform. During their research they were able to interrogate the functions of Bouncer directly (via a trojan, effectively) and assess how it determines potential malware through a series of tests. Cleverly enough, they used that knowledge to determine how to avoid Bouncer’s testing by disabling malware-functionality only when Bouncer was active and not on actual target devices the end-user would be running it on.

    These sorts of malware-testing sandboxes certainly help curtail a larger set of problems but still leave high potential risk for skilled attackers as both the previous Android research and this iOS research have shown. In both of these instances, however, the security teams for Google and Apple gained some serious insights that will likely have broad positive effects for app security.

  • nil

    If Apple can make even a penny, they really do not care of the consequences.

    • I don’t think that’s fair. Apple’s philosophy may jar sometimes, but its app review process has been much more successful at blocking malware than the Android process.

Follow us

Copyright © 2017 ESET, All Rights Reserved.