Biz & IT —

Seemingly benign “Jekyll” app passes Apple review, then becomes “evil”

App that sneaks into App store can be used to steal data, take stealth photos.

Dan Goodin - Aug 20, 2013 1:00 am UTC

Seemingly benign “Jekyll” app passes Apple review, then becomes “evil” — Wikipedia

Computer scientists say they found a way to sneak malicious programs into Apple's exclusive app store without being detected by the mandatory review process that's supposed to automatically flag such apps.

The researchers from the Georgia Institute of Technology used the technique to create what appeared to be a harmless app that Apple reviewers accepted into the iOS app store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled "Jekyll," worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors.

"Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process," the researchers wrote in a paper titled Jekyll on iOS: When Benign Apps Become Evil. "Once the app passes the review and is installed on an end user's device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval."

Apple representatives didn't immediately respond to a request for comment, but company spokesman Tom Neumayr told MIT Technology Review that developers have made changes to the iOS operating system in response to issues identified in the paper. It remains unclear if the vulnerabilities have been completely fixed.

The Jekyll app was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment, the researchers said. The app had the ability to carry out a variety of malicious attacks, including stealthily sending tweets, e-mails, and text messages, stealing device ID numbers, taking photos, and attacking other apps. The app could also cause Apple's Safari browser to load booby-trapped websites.

"Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice," the researchers wrote. "However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks."

The attack described by the researchers in some ways resembles an exploit that allows hackers to inject malicious code into legitimate Android apps without invalidating their digital signature. The so-called "master-key vulnerability" was also discovered by white-hat researchers, but it's now being exploited in some third-party marketplaces.

Promoted Comments

simeonWise, Aged Ars Veteran
jump to post

I have just read the paper because I was confused regarding what attacks this app could actually perform.

Here is how each of the attacks work, and which versions of iOS they affect:

Sending SMS without the user's permission (iOS 5.x only)
- App uses a private API to construct and send the necessary SMS data as if the user had done the same via the GUI (Apple fixed this in iOS 6.x by having the SMS compose window run in its own process)

Sending Email without the user's permission (iOS 5.x only)
- App uses a private API to construct and send the necessary email data as if the user had done the same via the GUI (Apple fixed this in iOS 6.x by having the email compose window run in its own process)

Sending Tweets without the user's permission (iOS 5.x and 6.x)
- They located the private classes used by Twitter.framework using LLDB (SLTwitterSession / SLTwitterStatus). They then call private methods on these classes simulating the user confirming the sending of a Tweet.

Abuse Camera (iOS 5.x and 6.x)
- The Jekyll app can turn on the camera and record images without the user knowing — as far as I can tell this is not an attack in any sense. Any app can turn on the camera with public APIs and get access to the camera stream without displaying it on screen. (Note the app actually needs to be running while the camera is capturing.) So I am unsure why they class this one as an "attack".

Dialing (iOS 5.x and 6.x)
- Uses the private CTCallDial class to dial a phone number. I am unsure if the regular dialing interface is shown when this happens, does anyone know? The paper does not say.

Adjusting Bluetooth (iOS 5.x and 6.x)
- Can turn Bluetooth on and off using the private BluetoothManager class (a lot of sneaky apps did this in the past because users wanted a quick way to turn bluetooth on and off without going into settings).

Stealing Device Info (iOS 5.x and 6.x)
- Can access IMEI, IMSI, ICCID using private methods

Rebooting System (iOS 5.x)
- They are able to load IOKit dynamically and exploit a bug in the iOS 5 version of the framework that causes a NULL pointer dereference. This causes the iOS 5.x device to reboot.

Crash Mobile Safari (iOS 5.x and 6.x)
- I am unsure why they included this (and the whole "we can attack other apps" angle) in the paper. Basically they are saying they can load a url, which may cause another app to load to handle that URL. If the app handling the URL has a vulnerability they can exploit, they might be able to form the data in their URL request in such a way to exploit the receiving app. This method does not use any private APIs nor require anything other than a standard URL request — so I am unsure why it is included in this paper. Their example is to crash Safari by loading a http:// URL with some malformed javascript code.

The most interesting attacks in the whole paper are the ability to send Tweets, SMS and Email without the user's permission — but the latter two do not work under iOS 6. So the most interesting practical vulnerability is the ability to make users Tweet things without their permission.

Note that all this dynamic code loading is actually not necessary to bypass Apple's review process. API obfuscation is usually enough — combined with not allowing your app to misbehave until after it has passed review (via a server side check).

111 posts | registered Jun 9, 2010
jroseArs Praetorian
jump to post

Chikahiro wrote:
Ah, the perpetual cat and mouse game. This is cool to see, and glad it was a security researcher that found it.

You mean, you're glad that a security researcher has announced it. We have no idea if others (Black Hats) have been using the concept already, all we can confirm/deny is whether or not there have been exploit reports.

504 posts | registered Feb 15, 2006
markstanislavSmack-Fu Master, in training
jump to post

This is similar to the Android research that Jon Oberheide and Charlie Miller did last year against Google's Bouncer platform (https://blog.duosecurity.com/2012/06/di ... s-bouncer/). During their research they were able to interrogate the functions of Bouncer directly (via a trojan, effectively) and assess how it determines potential malware through a series of tests. Cleverly enough, they used that knowledge to determine how to avoid Bouncer's testing by disabling malware-functionality only when Bouncer was active and not on actual target devices the end-user would be running it on.

These sorts of malware-testing sandboxes certainly help curtail a larger set of problems but still leave high potential risk for skilled attackers as both the previous Android research and this iOS research have shown. In both of these instances, however, the security teams for Google and Apple gained some serious insights that will likely have broad positive effects for app security.

1 post | registered Aug 20, 2013

Promoted Comments

simeonWise, Aged Ars Veteran
jump to post

I have just read the paper because I was confused regarding what attacks this app could actually perform.

Here is how each of the attacks work, and which versions of iOS they affect:

Sending SMS without the user's permission (iOS 5.x only)
- App uses a private API to construct and send the necessary SMS data as if the user had done the same via the GUI (Apple fixed this in iOS 6.x by having the SMS compose window run in its own process)

Sending Email without the user's permission (iOS 5.x only)
- App uses a private API to construct and send the necessary email data as if the user had done the same via the GUI (Apple fixed this in iOS 6.x by having the email compose window run in its own process)

Sending Tweets without the user's permission (iOS 5.x and 6.x)
- They located the private classes used by Twitter.framework using LLDB (SLTwitterSession / SLTwitterStatus). They then call private methods on these classes simulating the user confirming the sending of a Tweet.

Abuse Camera (iOS 5.x and 6.x)
- The Jekyll app can turn on the camera and record images without the user knowing — as far as I can tell this is not an attack in any sense. Any app can turn on the camera with public APIs and get access to the camera stream without displaying it on screen. (Note the app actually needs to be running while the camera is capturing.) So I am unsure why they class this one as an "attack".

Dialing (iOS 5.x and 6.x)
- Uses the private CTCallDial class to dial a phone number. I am unsure if the regular dialing interface is shown when this happens, does anyone know? The paper does not say.

Adjusting Bluetooth (iOS 5.x and 6.x)
- Can turn Bluetooth on and off using the private BluetoothManager class (a lot of sneaky apps did this in the past because users wanted a quick way to turn bluetooth on and off without going into settings).

Stealing Device Info (iOS 5.x and 6.x)
- Can access IMEI, IMSI, ICCID using private methods

Rebooting System (iOS 5.x)
- They are able to load IOKit dynamically and exploit a bug in the iOS 5 version of the framework that causes a NULL pointer dereference. This causes the iOS 5.x device to reboot.

Crash Mobile Safari (iOS 5.x and 6.x)
- I am unsure why they included this (and the whole "we can attack other apps" angle) in the paper. Basically they are saying they can load a url, which may cause another app to load to handle that URL. If the app handling the URL has a vulnerability they can exploit, they might be able to form the data in their URL request in such a way to exploit the receiving app. This method does not use any private APIs nor require anything other than a standard URL request — so I am unsure why it is included in this paper. Their example is to crash Safari by loading a http:// URL with some malformed javascript code.

The most interesting attacks in the whole paper are the ability to send Tweets, SMS and Email without the user's permission — but the latter two do not work under iOS 6. So the most interesting practical vulnerability is the ability to make users Tweet things without their permission.

Note that all this dynamic code loading is actually not necessary to bypass Apple's review process. API obfuscation is usually enough — combined with not allowing your app to misbehave until after it has passed review (via a server side check).

111 posts | registered Jun 9, 2010
jroseArs Praetorian
jump to post

Chikahiro wrote:
Ah, the perpetual cat and mouse game. This is cool to see, and glad it was a security researcher that found it.

You mean, you're glad that a security researcher has announced it. We have no idea if others (Black Hats) have been using the concept already, all we can confirm/deny is whether or not there have been exploit reports.

504 posts | registered Feb 15, 2006
markstanislavSmack-Fu Master, in training
jump to post

This is similar to the Android research that Jon Oberheide and Charlie Miller did last year against Google's Bouncer platform (https://blog.duosecurity.com/2012/06/di ... s-bouncer/). During their research they were able to interrogate the functions of Bouncer directly (via a trojan, effectively) and assess how it determines potential malware through a series of tests. Cleverly enough, they used that knowledge to determine how to avoid Bouncer's testing by disabling malware-functionality only when Bouncer was active and not on actual target devices the end-user would be running it on.

These sorts of malware-testing sandboxes certainly help curtail a larger set of problems but still leave high potential risk for skilled attackers as both the previous Android research and this iOS research have shown. In both of these instances, however, the security teams for Google and Apple gained some serious insights that will likely have broad positive effects for app security.

1 post | registered Aug 20, 2013

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica