It’s not uncommon for blatant crud to find its way onto Google Play (my favourites still being those fake Apple apps from late last year). Conversely, Apple’s App Store vetting process is generally thought to be pretty strict. Or is it?
Some cheeky chaps at Georgia Tech successfully submitted a malicious app to the App Store, with approval coming after just a few seconds’ use. Oh dear.
On the face of it, the app claimed to offer news from Georgia Tech, however it contained code fragments that later came together as hideous malware, dubbed Jekyll.
Señor Jekyll was able to post tweets, send emails and texts, steal personal info, take photos, attack other apps, and redirect Safari to sites containing further malware. Eek.
To the team’s credit, the app was quickly withdrawn after confirming that they’d successfully unleashed a malware-ridden app on the App Store, and no unsuspecting victims were harmed.
“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” explains team member and Stony Brook University researcher Long Lu.
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen.”
Indeed, as Lu says, there could be malware out there that hasn’t yet been detected. Happy apping, kids!