Jekyll bypasses App Store to spread infection


Apple has always prided itself on the security of its operating systems, but we have news that might concern some today regarding iOS malware. Researchers have shown that a method referred to as Jekyll can bypass the App Store to spread infection, proving that Apple’s app approval process is not infallible.

Research has been carried out at the Georgia Institute of Technology where researchers have used a Jekyll app. The team found that this app was able to steal identity data from devices, as well as sending emails, posting tweets, taking photos and more, and could also exploit kernel vulnerabilities. The research titled Jekyll on iOS: When Benign Apps Become Evil has just been published online in PDF format and was also presented at the 22nd USENIX Security Symposium.

The five-person team explained that malicious behavior that would usually get spotted during the Apple review process could be reliably hidden using Jekyll. The key factor of the method enables apps to be remotely exploitable so that malicious control flows can be initiated by rearranging signed code. As these control flows would not be apparent during the review process, these Jekyll apps would be able to stay undetected during app approval.

The researchers managed to get a proof-of-concept Jekyll app published in the App Store and then remotely launched attacks on a group of devices where the app had been installed. Apple approved the app, which released on the App Store back in March. However, once the team had downloaded it to the devices being used for research, they then removed the app from the App Store. The team has since disclosed their attack to Apple and says that data shows that the app was only installed to their own testing devices.

According to Apple some changes to iOS software have since been made, and it’s possible that this may have happened with the iOS 6.1.3 update that came in the middle of March. However, the researchers say that, “the idea of hiding vulnerabilities and later exploiting them is not easy to fix by Apple,” adding that this is a fundamental issue.

As we now know that this kind of app has gained App Store approval, it raises the possibility that this could have happened before or can happen again now. Google’s Android platform is often open to criticism about malware slipped in through the Google Play store, but Apple has always been confident that its iOS platform is far less vulnerable. However, news of this iOS malware could make device users less confident and could also incite other malicious coders to attempt it themselves. As Apple currently approves around 4,800 iOS apps a week, it seems that the company has a massive undertaking on its hands to maintain security.

We’d welcome your comments on the news of this Jekyll method, which has been used to slip iOS malware past the App Store approval process. Has this made you feel less confident about Apple app security in the future?

Source: USENIX pdf (Georgia Institute of Technology)