A team of researchers from
Led by Tielei Wang, a research scientist at
The assembled attack code was able to send tweets, email and texts without the user's knowledge, and could steal the iPhone's unique device ID, turn on the camera and take video, forward voice calls to other phones and connect with local Bluetooth devices. Because the reconfigured app also "phoned home" to a server operated by the researchers, they were able to download additional malware and compromise other apps on the smartphone, including the Safari browser. What had seemed on the surface -- far below the surface for that matter -- to be a harmless Dr. Jekyll was silently transformed into an evil
Those code gadgets -- and the app's true control flow and operation -- were disguised in such a way that it would be virtually impossible for Apple's current review methods to discover the app's real intent. "Even with a longer time [to analyze the app] they can't find that it's malicious," said Wang in an interview Monday.
Vulnerabilities, which the Jekyll app secretly planted in its code, are also nearly impossible to detect or stamp out, he said.
In fact, Wang and his team --
"For instance, the app can deliberately leak its memory layout information to the remote server so that ASLR is completely ineffective," the group wrote in the paper ( download PDF) they presented Friday in
No other users downloaded the app while it was available, Wang said.
Unlike Android, Apple's iOS has been remarkably free of malicious apps, due to the
But the review process, even if it was beefed up with personnel and the analysis done with different tools, would not stymie Jekyll apps, Wang and his team wrote in their paper.
"We argue that the task of making all apps in
With little chance of catching Jekyll apps during review, Apple should enhance iOS security to stymie such masquerading software at runtime, or when it's on an iPhone and active, Wang said.
They made several recommendations, including improving ASLR and providing a finer-grained permission model, but pointed out that hackers may be able to work around those defenses, too.
One way Apple could monitor apps at run time and thus stop Jekylls, was with "control-flow integrity" (CFI), an advanced anti-exploitation technology that requires code execution to follow pre-defined paths, and no others.
Ironically, Apple's rival
"CFI is a very hot research topic right now," said Wang.
Wang and his team reported their findings to Apple in March, long before the paper was made public. "They said they appreciated the report," said Wang. But he was, like everyone else, in the dark about what Apple might do to block Jekylls from reaching the
Apple did not reply to a request for comment, but elsewhere the company has said it made changes in iOS in response.
According to Wang, iOS 7 is still vulnerable to the technique of hiding vulnerabilities in a Jekyll app and exploiting them after approval to do dirty work.
"However, Apple did enhance its sandbox policies," Wang said Tuesday in an email reply to follow-up questions. "Some of our attack instances no longer work, but we need to further figure our whether iOS 7 completely fixes the issues."
Apple has to do something, Wang argued. "It's not a big deal for a malicious app developer [to do this]," he said.
His recommendation to users? "Be very cautious when you download unknown, third-party apps," he said.
Most Popular Stories
- Bipartisan Budget Deal Gets Key Support in House
- TFA Recruiting DACA Recipients
- Bitcoin Clones Lurch Onto Financial Scene
- Clinton to Keynote Annual Simmons Leadership Conference
- Holiday Shopping Off to a Slow Start This Season
- Scotch Whisky Sales Raise Distillers' Spirits
- Health Coverage Disparities Emerge Among States
- Fake Deaf Interpreter Was Hallucinating, Has Schizophrenia
- Podesta Likely to Reject Keystone XL
- Tea Party Glum in Face of Bipartisan Budget Deal