A malware test app was able to sneak through Apple’s review process disguised as a harmless app, and it was then able to re-assemble into an aggressive attacker even while running inside the iOS sandbox designed to isolate apps and data from each other.
The app, dubbed Jekyll, ended up being a test of the Apple review process. The malware designers, a research team from Georgia Institute of Technology’s Information Security Center (GTISC), were able to monitor their app during the review: They discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn’t anywhere near long enough to discover Jekyll’s potentially destructive nature.
Jekyll’s design involved more than simply hiding the code under legitimate behaviors. Jekyll was to later re-arrange its components to create new functions that could not have undergone detection by the app review. It also directed Apple’s Safari browser to reach out for new malware from specific Websites created for that purpose.
“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge,” said Tielei Wang, who led the Jekyll development team at GTISC. Long Lu, a Stony Brook University security researcher, was also a part of the team.
A form of Trojan Horse malware, once it downloads, Jekyll was able to reach out to the attack designers for instructions. “The app did a phone-home when it was installed, asking for commands,” Lu said. “This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.”
Sandboxing is a fundamental tenet of secure operating systems, intended to insulate apps and their associated data from each other, and avoid the very attacks and activities that Jekyll was able to carry off. It’s also a technique for detecting malware by running code in a protected space where a security expert can automatically analyze it for traits indicative of a malicious activity. The problem is attackers are well aware of sandboxing and are working to exploit existing blind spots.
“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu said. “During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.”
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu said.
The results of the new attack were in a paper entitled “Jekyll on iOS: when benign apps become evil.”
Apple spokesman Tom Neumayr said Apple was making “some changes to its iOS mobile operating system in response to issues identified in the paper,” according to Talbot.