ID: IRCNE2013081935
Date: 2013-08-20
According to "computerworld", a team of researchers from Georgia Tech has demonstrated how hackers can slip a malicious app by Apple's reviewers so that it's published to the App Store and ready for unsuspecting victims to download.
Led by Tielei Wang, a research scientist at Georgia Tech's school of computer science, the team created a "Jekyll" app. Hidden inside the app, however, were code fragments, dubbed "gadgets," that self-assembled to create a proof-of-concept exploit only after the app was approved by Apple.
The assembled attack code was able to send tweets, email and texts without the user's knowledge, and could steal the iPhone's unique device ID, turn on the camera and take video, forward voice calls to other phones and connect with local Bluetooth devices. Because the reconfigured app also "phoned home" to a server operated by the researchers, they were able to download additional malware and compromise other apps on the smartphone, including the Safari browser.
The Georgia Tech researchers built their Jekyll app and submitted it to Apple, which approved it seven days later. Once on the App Store, the team downloaded the app onto their own iPhones, told it to transform into a Mr. Hyde and ask for instructions from their server. After confirming that it worked as designed, they removed the app from the App Store. No other users downloaded the app while it was available, Wang said.
Wang and his team reported their findings to Apple in March, long before the paper was made public. Apple did not reply to a request for comment, but elsewhere the company has said it made changes in iOS in response.
According to Wang, iOS 7 is still vulnerable to the technique of hiding vulnerabilities in a Jekyll app and exploiting them after approval to do dirty work.
His recommendation to users? "Be very cautious when you download unknown, third-party apps," he said.
- 2