Researchers at Georgia Institute of Technology have uncovered a process which is claimed to slip the mandatory software review and code-signing systems that protect apps in the Apple App Store.
As part of the study, the team was able to upload a fake iOS malware app to the Apple App Store and had remotely attacked a controlled group of devices that installed the application.
The ‘Jekyll’ app, developed by Georgia Tech researchers, was able to post tweets, capture images, deliver emails and messages, while stealing information related to device identity.
Researchers said in a statement that the method allows attackers to reliably hide malicious behaviour that would otherwise get their app rejected by the Apple review process.
"Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks," researchers added.
"The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code.
"Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval."
The app was created with in-built remotely-exploitable vulnerabilities, which are masked by valid features to avoid detection during the App Store approval process, while it would be activated soon upon the installation of app on an iOS device.
