Apple iOS Security Defeated by Jekyll : Researchers Managed to Install ‘Jekyll’ Malware App in Few Seconds

Researchers prove that Apple may not be that secured as they have managed to get a malware named “Jekyll” inside the Apple Store in just a few seconds.

Long Lu, a researcher from the Stony Brook University, worked with Tielei Wang in creating the app that was able to break in Apple’s security. The researchers uploaded Jekyll in the App Store in March and stayed for a few minutes so no iOS devices were harmed during their experiment.

The team installed the app to their own devices and waited for the malware to kick in before they removed it to their devices. It only took a few minutes for the malware to activate itself but the researchers managed to uninstall it to their own devices before it could do damage.

The malicious app disguised itself as a news app for Georgia Tech, a public research university based in Atlanta, Ga. It contained code fragments designed to convert itself to a malware once downloaded. The malware is capable of posting tweets, send emails and text messages, obtain personal information and device ID numbers, take photos, and attack other apps without the user knowing it. Furthermore, it could affect Apple’s own browser Safari to redirect the user to a website containing more malware.

“The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” said Lu to MIT Review.

The researchers initiated the experiment to find out how long Apple conducts the review of the apps sent by developers up until the time it gets approved and released to App Store. They discovered that the static analysis used by Apple is ineffective.

“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu said to MIT Review.

The research will be presented on Friday at the Usenix conference in Washington, D.C.

Meanwhile, Apple spokesperson Tom Neumayr told MIT that the company is now revamping the iOS to address the issues mentioned by the Lu’s team. However, he refused to comment about the app review process.