Researchers Snuck Malware Onto the App Store By Making It a Transformer
No one really knows exactly how
The app, called Jekyll, was able to send e-mails and texts, steal information and device ID numbers, take photos, send tweets, and attack other apps. But it's trick was that it couldn't do this right away. Instead, it's malicious code was broken into innocent-looking segments that would transform after download.
Long Lu, one of the researchers on the team, described it this way :
The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.
After the team slipped Jekyll into the App Store, they downloaded it and ran the attacks on themselves before deleting it off the store. Through monitoring the app, they were able to tell that Apple only scanned it for mere seconds, before approval, though who knows if a longer scan really would have helped.
The experiment happened all