An app for iOS evil, designed to disguise themselves as good and acceptable in the Apple review process and then reassembled to become aggressive internally on an attacker, even running in the “sandbox” (sandbox) of iOS apps designed to isolate and data from other programs, has just been launched by a team of researchers from the Center for Information Technology and Security (GTISC, for its acronym in English), with the intention to monitor the whole process of acceptance of an app.The researchers found that Apple pulled the app for a couple of seconds to finally accept it. That was not enough time in any way for the app to become malware. The app is called Jekyll and name refers to the novel by Robert Louis Stevenson, “The Strange Case of Dr. Jekyll and Mr. Hyde”. The story is about the two personalities in Dr Henry Jekyll: a good but one, manifested as Edward Hyde, deeply evil.
In the design of the app did more than hide the offending code on legitimate behavior. Jekyll was later dfiseñada to relocate the components to create new features that could not have been detected in the review process. “Our research shows that even if the app run in the sandbox, Jekyll app can do tasks such as writing malicious tweets , take photos, send emails and SMS messages and even attack other apps without the user’s express knowledge, “says Tielei Wang, a press release of July 31. Wang is the leader of the development team in GTISC.
Interestingly several blogs echoed this statement, but until the MIT Technology Review , made the news, not paid much attention. The author of the article in this publication indicates that Jekyll could further magnify its effects, it may direct the default Apple browser, Safari, to a place where there are more malware.
Jekyll is a Trojan horse, which is recreated once downloaded. Then send information to the creators (attackers), asking for the command to execute. This gives the ability to generate new behaviors in the logic of the app, which they were when it was installed.
A scheme that is considered safe is that of the sandbox, which is critical for the safety of the entire operating system, which isolates the apps and associated data, preventing it from attacking other parts of the system. The problem is that the attackers in the case of Jekyll, were well aware of the prohibitions of the sandbox and potential blind spots, which is where they take advantage.
The app only Jekyll was “live” for a couple of minutes last March and casualties were not.During that short time, the researchers installed on their own mobile and attacked themselves. So deleted the app before it could do much damage. The message is clear: “we mean that Apple’s review process is in most cases static, this is not enough, because with dynamically generated logic, you can create all kinds of app” says one of the researchers the app in question.
The result of this new attack gave the document: “Jekyll on iOS: when benign Apps Become evil” (Jekyll in iOS, when turned evil benign Apps), which will be presented at the Symposium number Usenix Security 22. The full article can be downloaded from this site .
An Apple spokesman, Tom Neumayr said Apple has made some changes to its iOS mobile operating system in response to the problems encountered in the process and noted in the article by the researchers. However, no details of the review process for apps.