Georgia Tech researchers get malware app approved by Apple

“Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety,” David Talbot reports for technology Review.

“Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light,” Talbot reports. “This wasn’t long enough for Apple to notice that an app that purported to offer news from Georgia Tech contained code fragments that later assembled themselves into a malicious digital creature.”

Talbot reports, “The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says. During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm… By monitoring the app, [the researchers] could tell that Apple ran it for only a few seconds prior to releasing it.”

Read more in the full article here.

MacDailyNews Take: Obviously, Apple’s three college interns, err… “iOS App Approval Department” needs to do a much better job here, especially since this is one of iOS’s significant and growing advantages over certain other malware-infested mobile OSes.

Wouldn’t wait to piss that advantage away by being cheap and/or incompetent and/or lazy, right, Tim?

Related articles:
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010


      1. The obvious point here was NOT to sell this app to the wide audience, but to manage to get it approved as an experiment, which apparently succeeded.

        The “GT News App” was plausible enough as a concept not to raise any eyebrows at Apple (your concern notwithstanding), so the whole experiment concluded safely, but proved the point it set out to prove.

        MDN is right.

  1. As a former Apple employee, this makes me sad. As a developer this makes me somewhat angry: Now the approval process is going to take even longer, and that’s generally a bad thing for development teams. Sure, it’s good for the platform, but the platform wasn’t doing too badly before this.

    1. And if it took 6 weeks to approve an App, the “payload” would drop in 7 weeks.

      Any security system can be circumvented. Apple at least tries.

      I wonder if breaking into that dentist office and stealing the drugs would be ok if I admitted it later to prove a point.

  2. If that app was sent or created on Georgia Tech equipment, I would pull the universities developer privileges for a few months from any of their IP addresses. Let ALL the universities know that if this crap happens at your place, there will be a response from Apple.

    1. Ah yes, the typical reactionary “shoot the messenger” type.

      Your kind are the reason white-hat hackers are harassed for providing a valuable service (non-damaging disclosures and occasionally examples of vulnerabilities in either code or business processes), and prevent (further?) damage by black-hats who may have already found and sold these exploits.

    2. What? I think those Georgia tech guys need to be taking one way tickets to Georgia while they still can.

      I mean some American recently pointed out that the US government is spying on people and he’s had to hide out in Russia somewhere.

      I mean pointing out that a government has no moral integrity all at is nothing more than the obvious.

      This though, this is a serious effective company, something important, something valued. Something does need to be done, otherwise there will be all sorts of anarchy, leading to analysts doing surveys on rumored products.

  3. I would expect that part of the review process is taking a look at where the app comes from. In this case it came from an institution of higher learning and they claimed it offered news about Georgia Tech. I expect it wasn’t the first app from Georgia Tech nor the first of this type of app from a college or university. It would make sense not to spend a lot of time reviewing such an app. If it does what it is supposed to and doesn’t crash it should be good to go. I’ve got no problem with Apple extending a certain level of trust to a developer like this. Now, if this was an app submitted by an independent or commercial app developer, I’d be more worried.

  4. The app approval process in only one aspect of AppStore security. If you circumvent that with a malware app the second stage is the remote kill switch. The third thing that happens after that is your bank account is frozen by the police. The next thing that happens is a policeman taps you on the shoulder with a warrant for your arrest on hacking charges.

    As a iOS developer you have to provide apple with your real name, address, and bank details. This is not android where all you need is a email address. In Australia to get a bank account you need a photo drivers license, birth certificate and a passport. Think you can fake those?

    Apple will happily provide the evidence of hacking to the local police, anywhere in the world. With that law enforcement can apply to have the malware developers iphone location tracked which apple will happily do. Same with the developer bank accounts. Do you think any ios developer won’t have some sort of iOS device? They can certainly track your Mac at least.

    So what is the upside to developing iOS malware? Criminals need a financial incentive and some chance of getting away with crime for it to be worth breaking the law.

  5. Ha! Wouldn’t be a tragedy for Tech fans getting malware infections! Go Dawgs!

    (The preceding message brought to you courtesy of a UGA grad who is required by law to detest Georgia Tech. No bumblebees were harmed in the production of this message)

  6. The site is:

    The statement is: “If you apply for an A[n]ustralian bank account within six weeks of moving to A[n]ustralia then initially you will only require your passport as a form of ID.”

    Kids can also have bank accounts so they won’t need or be able t supply a bank account without a passport and driver’s license.

    You’ll find similar requirements for banks in other places.

    That being said, I slightly disagree that “criminals need a financial incentive and some chance of getting away with crime for it to be worth breaking the law.”

    Having had to endure the quasi so called human beings on that putrid island I can say from experience that racism and hatred, and just plain Anustralism is enough to break the law, repeatedly. I’ve had to endure the consequences of that many many times before I escaped.

    No tears shed here if that place get’s blanked off the planet.

    1. As for the child account you also need the signature and id details of the parent or guardian and the child’s birth certificate.
      Parent/guardian is responsible for child’s action. Still got someone to hunt down sunshine 😉

    2. Even better. Just say you do manage to get a false passport to hide your identity or falsify the details. After the court has finished with you on the hacking charges you can look forward to the following for passport fraud:
      “The penalties for passport fraud differ from region to region, but most are extremely severe. In the United States, the crime is a federal felony and may result in a minimum prison sentence of ten years. Sentences go up significantly for repeat offenders or those who used the passport to perpetrate crime. In Australia, penalties include ten years in jail and a fine of up to $110,000 Australian Dollars”

      Something to look forward to for the potential iOS malware developer.

      For android malware? Well, good luck tracking someone down with just a email address. Maybe that has something to do with the explosion in android malware? Nah, iOS is just as insecure as android. Lol 😉

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.