Researchers Slip Malware into Apple’s App Store By Hiding Code

| Analysis

BugsResearchers at Georgia Tech have used a specific technique to sneak malware onto Apple's heavily curated App Store. The team wrote an app, submitted it to the App Store, and won approval even though the app had significant malware because of the way the malware code was hidden within the app.

Code Gadgets & Jekyll

The researchers developed an app that purported to deliver news from their college, Georgia Tech. According to MIT Technology Review, the team broke malware-related code into snippets they called "code gadgets" that were then scattered throughout the app's overall code base.

As noted in the comments below, this technique isn't new. Self modifying code has been around for a while, but this is the first report of successfully using dynamically generated logic to disguise malware and get it through Apple's app approval process.

The way it works is this: the "code gadget" snippets did nothing in the few seconds the app was actively run during the app approval process. Apple has never revealed how it tests apps, but in the case of this app, the researchers were able to remotely monitor how long it ran, most likely by seeing how long data was pulled from the Georgia Tech servers. According to them, it was only a few seconds.

"The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," Long Lu, a researcher at Stony Brook University who participated in the project, said.

I haz ur tweetsTime Bomb

Once it was approved, the researchers installed the app on their own iOS devices and then immediately withdrew the app from the App Store before others could download it. Once it ran on their sacrificial test devices, the real evil in their technique commenced.

That's because those "code gadgets" began assembling themselves back into their full form, and that full form was designed to stealthily, "post tweets, send e-mails and texts, steal personal information and device ID numbers, take photos, and attack other apps."

"The app did a phone-home when it was installed, asking for commands," Mr. Long explained. "This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed."

With this in mind, you can see why the researchers called their malware "Jekyll."

Ramifications

This kind of vulnerability isn't limited to iOS, and it's an issue that could affect all platforms. Marc Rogers, a principal researcher at mobile security firm Lookout told MIT Technology Review that, "all OSes are vulnerable to this kind of attack, whether mobile or otherwise."

There are some mitigating aspects about this story. The first is that now that the group has presented its findings—which it did on Friday—the issue is above board and is something the broader security industry can think about and develop counter measures.

More importantly, an Apple spokesperson said that Apple has already made changes to the app approval process as a result of this paper, though he didn't specify what those changes are for obvious reasons.

[Update: Thanks in part to the comments below, this article was updated to more accurately explain what the researchers at Georgia Tech did and why it matters. - Bryan]

Bugs courtesy of and made with help from Shutterstock.

Comments

ilikeimac

Whoa there Chicken Little. That a piece of malware was able to get past Apple’s App Store approval process is not a “vulnerability” in any “OS”. It’s really not even news. Bad stuff has made it in before, and using the “Time Bomb” approach is practically a must in order to circumvent the approval process.

All OSes are “vulnerable” to whatever software authorized users are allowed to run. The “code gadgets” approach sounds moderately innovative, but not too much of a game changer.

However, the part you glossed over quickly is of concern: you say the malware was able to send tweets, texts, emails, take photos, and to attack other apps. That could just mean it used the normal tweeting, texting and email API’s, but did so in ways that Apple wouldn’t have approved because they bypass user acknowledgement, in which case no big deal. But if that means it was able to bypass OS restrictions and get access to account information or call restricted API’s, that may indeed constitute a vulnerability. Additionally, if “attacking other apps” means it was able to break out of its sandbox and actually succeed in some kind of attack, that’s news, but if it simply tried sending malformed packets over the network interfaces to apps that might be listening for data, well, that’s not a problem with the OS, and if it works it’s probably an app vulnerability, not a OS one.

Lee Dronick

Well the right thing to do was to wait until the vulnerability is fixed and the get your recognition.

daemon

Bryan,

Your writing style is very enjoyable, but…. this isn’t new.

http://en.wikipedia.org/wiki/Self-modifying_code

Bryan Chaffin

Thanks for the checks, ilikeimac and daemon. I updated the article to focus on the real news, which is the researchers slipping their malware into the App Store.

ilikeimac

Thanks for the revision Bryan.

gnasher729

Lee, there is no vulnerability that can be fixed. At least the very vague report doesn’t allow the conclusion that there is any vulnerabiltiy.

This app, like any app on the App Store, can only do what it is allowed to do. Self-modifying code doesn’t help it doing things it isn’t allowed to do. That’s what sandboxing prevents; if the app hasn’t permission to do something, then it can’t do it.

And when an app is submitted to the App Store, Apple will know who the developer is. So a researcher can submit malicious code (but make sure that it doesn’t actually reach anyone), a real crook would be deterred by the fact that Apple knows who he is.

Lee Dronick

Thanks Gnasher,

daemon

I think the most important aspect of this article is how Apple goes about curating it’s App Store. They apparently don’t spend very much time with a live app. Now, that’s not necessarily a bad thing, they could spend lots of time combing through code…. But I don’t think they actually do that.

mrmwebmax

+

Awesome images. I especially like the facial expression on the yellow “I haz ur tweets” dude.

Log-in to comment