Georgia Tech researchers get malware app approved by Apple

“Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety,” David Talbot reports for technology Review.

“Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light,” Talbot reports. “This wasn’t long enough for Apple to notice that an app that purported to offer news from Georgia Tech contained code fragments that later assembled themselves into a malicious digital creature.”

Talbot reports, “The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says. During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm… By monitoring the app, [the researchers] could tell that Apple ran it for only a few seconds prior to releasing it.”

Read more in the full article here.

MacDailyNews Take: Obviously, Apple’s three college interns, err… “iOS App Approval Department” needs to do a much better job here, especially since this is one of iOS’s significant and growing advantages over certain other malware-infested mobile OSes.

Wouldn’t wait to piss that advantage away by being cheap and/or incompetent and/or lazy, right, Tim?

Related articles:
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010


      1. The obvious point here was NOT to sell this app to the wide audience, but to manage to get it approved as an experiment, which apparently succeeded.

        The “GT News App” was plausible enough as a concept not to raise any eyebrows at Apple (your concern notwithstanding), so the whole experiment concluded safely, but proved the point it set out to prove.

        MDN is right.

  1. As a former Apple employee, this makes me sad. As a developer this makes me somewhat angry: Now the approval process is going to take even longer, and that’s generally a bad thing for development teams. Sure, it’s good for the platform, but the platform wasn’t doing too badly before this.

    1. And if it took 6 weeks to approve an App, the “payload” would drop in 7 weeks.

      Any security system can be circumvented. Apple at least tries.

      I wonder if breaking into that dentist office and stealing the drugs would be ok if I admitted it later to prove a point.

  2. If that app was sent or created on Georgia Tech equipment, I would pull the universities developer privileges for a few months from any of their IP addresses. Let ALL the universities know that if this crap happens at your place, there will be a response from Apple.

    1. Ah yes, the typical reactionary “shoot the messenger” type.

      Your kind are the reason white-hat hackers are harassed for providing a valuable service (non-damaging disclosures and occasionally examples of vulnerabilities in either code or business processes), and prevent (further?) damage by black-hats who may have already found and sold these exploits.

    2. What? I think those Georgia tech guys need to be taking one way tickets to Georgia while they still can.

      I mean some American recently pointed out that the US government is spying on people and he’s had to hide out in Russia somewhere.

      I mean pointing out that a government has no moral integrity all at is nothing more than the obvious.

      This though, this is a serious effective company, something important, something valued. Something does need to be done, otherwise there will be all sorts of anarchy, leading to analysts doing surveys on rumored products.

  3. I would expect that part of the review process is taking a look at where the app comes from. In this case it came from an institution of higher learning and they claimed it offered news about Georgia Tech. I expect it wasn’t the first app from Georgia Tech nor the first of this type of app from a college or university. It would make sense not to spend a lot of time reviewing such an app. If it does what it is supposed to and doesn’t crash it should be good to go. I’ve got no problem with Apple extending a certain level of trust to a developer like this. Now, if this was an app submitted by an independent or commercial app developer, I’d be more worried.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.