Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Jekyll" Test Attack Sneaks Through Apple App Store, Wreaks Havoc

Posted by samzenpus on from the wolf-in-sheep's-clothing dept.

An anonymous reader writes "A malware test app sneaked through Apple's review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS 'sandbox' designed to isolate apps and data from each other. The app, dubbed Jekyll, was helped by Apple's review process. The malware designers, a research team from Georgia Institute of Technology's Information Security Center, were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn't anywhere near long enough to discover Jekyll's deceitful nature."

9 of 206 comments (clear)

  1. iOS apps -- can they self-modify? by swb · · Score: 3, Interesting

    Let's say you submit an app to the app store, and like many it's designed to do something fairly idiotic that today's kids find funny, say, take a picture and then superimpose the picture onto a set of background images included with the app.

    Now, let's say the app writer has steganographically embedded "naughty" code in the background images, maybe even going so far as to spread the code across all the images, encrypt, etc. to make it difficult to find.

    Can the app modify itself by taking its hidden code from the images and actually execute it? Can you download "new" code from the internet, even if its steganographically hidden? It seems like you shouldn't be able to do this, like the apps should be sandboxed from modifying their own code just to prevent importing unapproved code.

    1. Re:iOS apps -- can they self-modify? by schneidafunk · · Score: 4, Interesting

      From my understanding, compiled code is reviewed once. However, in the cell phone app that I made, a lot of content was pulled from a database that I controlled, meaning product information could be updated by me without the need of review from Apple. We joked about replacing images with NSFW images, but I imagine what this team did was have a compiled app that ran code from a DB and was similarly able to be updated later.

      --
      Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    2. Re:iOS apps -- can they self-modify? by cusco · · Score: 3, Interesting

      One of the voting machine vendors (not Diebold) actually did this in order to pass testing to get approval. From Date 01 to Date 07 it would only run locally available code, but then from Date 08 onwards it would check for scripts available on the inserted compact flash card and run them if they existed. The CF cards were only supposed to be used for recording votes, but the company was also using it to update the machine's firmware. No one knows for sure whether the scripts were used to change votes or anything else, but the possibility was certainly there.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  2. Q&A by tuo42 · · Score: 5, Interesting

    When I read this article, it strengthens my opinion that the Q&A process for the App Store is absolutely flawed. Don't get me wrong, regardless of wether you like or hate the walled garden, I actually am of the opinion that the guidelines - especially the UI guidelines - developers have to follow to beeing approved for the app store are a good thing in and itself. The Google Play store has similar guidelines, allthough - IMHO - not as focused on user experience.

    I had a apps declined due to improper usage of a certain widget in another certain widget which was not deemed "correct" (switch button in a table footer for example), but always was able to either find a similar solution or - in one rare case (the one mentioned) - explaining WHY that switch button is there, and how if you take a look at the UI, understand what it does.

    Then again I saw apps in the store which completely failed most of the even basic guidelines, described as (between the lines): "fail these, and your app will 100% be NOT approved", and I wondered "how did they get in there"?

    Talked to other developers, same experience. Some knew they had a few things in there against the guidelines (custom springboards, views not conform with the UI guidelines) and hoped to get through. Sometimes they managed, sometime not, so they also got the feeling that the Q&A for the App store is somewhat like tax declaration. They don't seem to have enough time/ressources to check all, so if you something that is against the guidelines, you have to hope that you are one who doesn't get checked thoroughly.

  3. Re:Apple review process = a few seconds? by PIBM · · Score: 5, Interesting

    I've had a game published which wasn't even started, or approved while only displaying 'an internet connection is required to proceed'. It's hard to be checked out less than this..

  4. I call bullshit on "unaware" claims by SuperKendall · · Score: 4, Interesting

    I can totally see getting an app through the submission process that does something a bit sneaky. Sometimes the app reviewers hardly look at a thing (though sometimes they look very carefully, it just depends on the reviewer).

    But the claim the app could "wreak havoc" needs some proof. They said:

    a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps â" all without the users knowledge

    Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

    Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  5. Re:Wreak Havoc seems a bit overblown by Anonymous Coward · · Score: 2, Interesting

    Reminds me of this scene from First Contact:

    (Picard drains the coolant, finds the Borg Queen's head and neck that is still blinking. He breaks the neck)
    DATA: Captain.
    PICARD: Data, ...are you all right?
    DATA: I would imagine that I look worse than I ...feel. ...Strange. ...Part of me is sorry she is dead.
    PICARD: She was unique.
    DATA: She brought me closer to humanity than I could have thought possible. And for a time I was tempted by her offer.
    PICARD: How long a time?
    DATA: Zero point six eight seconds, sir. For an android ...that is nearly an eternity.

  6. Monitored? by wiredlogic · · Score: 4, Interesting

    What kind of two-bit operation is Apple running if apps can phone home during the vetting process.

    --
    I am becoming gerund, destroyer of verbs.
  7. Re:BUT MACS DON'T GET ... by CanHasDIY · · Score: 4, Interesting

    Heh, remember when Apple changed the info on their page from "DOES NOT GET VIRUSES" to "DOES NOT GET PC VIRUSES"?

    That was classic.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese