Georgia Tech researchers released an app into the Apple Store that masked malware as generic app functions. The exploit creates concerns about the migration of PC viruses to mobile, Apple’s app vetting procedures, and the general way we protect our phones for attacks.
A paper at the Usenix Conference in Washington DC last Friday gave a rundown of work done by researchers at Georgia Tech to expose the lack of testing done by Apple’s that go into its store. This required that the researchers run through Apple’s standard procedure to gain approval for their App, named Jekyll, that then went on to reassign its approved code to attack the phone. The accepted app was used by the researchers to attack their own phones and removed from the store to avoid any unwelcome attacks.
Apple claims to have dealt with some of the issues, mainly vulnerabilities in the OS, but will not discuss its approval process. How this translate into the real world: consumers PCs are constantly under threat and we do have some very rich anti-virus software vendors (McAfee, for example, cost Intel $7 billion). Businesses have IT departments that won’t let you do anything to tick them off let alone download a malicious app.
The mobile market does have security vendors including McAfee and Symantec, PC stalwarts. But, there are issues with phone performance – as if there aren’t any performance issues on PCs – and how well these services work.
In the meantime, we can knock Apple and they can just keep quiet on the subject. However, there is one thing that we know for sure, even its heyday, Apple never had to contend with this level of usage or third party support for its platform. Mobile makes Apple highly vulnerable, and traditionally, the company always hunkers down when it feels threatened. So, it will be interesting to see if it decides to change app approval processes, which are a little bit of mystery these days, anyhow.
As the original paper states in its conclusion:
In this paper, we presented a novel attack scheme that can be used by malicious iOS developers to evade the mandatory app review process. The key idea is to dynamically introduce new execution paths that do not exist in the app code as reviewed by Apple. Specifically, attackers can carefully plant a few artificial vulnerabilities in a benignapp, and then embed the malicious logic by decomposing it into disconnected code gadgets and hiding the gadgets throughout the app code space. Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice. However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks.
We demonstrated the versatility of our attack via a broad range of malicious operations. We also discussed our newly discovered private APIs in iOS that can be abused to send email and SMS and post tweets without the user’s consent.
Our proof-of-concept malicious app was successfully published on App Store and tested on a controlled group of users. Even running inside the iOS sandbox, the app can stealthily post tweets, take photos, gather device identity information, send email and SMS, attack other apps, and even exploit kernel vulnerabilities.