Researchers Snuck Malware Onto the App Store By Making It a Transformer
No one really knows exactly how Apple makes sure the apps that wind up in its store are safe. All we know is that the App Store has a better track record than its Android counterpart
The app, called Jekyll, was able to send e-mails and texts, steal information and device ID numbers, take photos, send tweets, and attack other apps. But it's trick was that it couldn't do this right away. Instead, it's malicious code was broken into innocent-looking segments that would transform after download.
Long Lu, one of the researchers on the team, described it this way:
The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.
After the team slipped Jekyll into the App Store, they downloaded it and ran the attacks on themselves before deleting it off the store. Through monitoring the app, they were able to tell that Apple only scanned it for mere seconds, before approval, though who knows if a longer scan really would have helped.
The experiment happened all the way back in March, but the team only just spilled the beans about their results last Friday at a the Usenix conference in Washington, and since then, Apple has tweaked its app review process in ways that its not keen on talking about. It just goes to show that you can never be too careful what you download; there are always going to be ways to sneak sketchy apps past the guards. [MIT Technology Review]