"Jekyll" test attack sneaks through Apple App Store, wreaks havoc on iOS

Acting like a software version of a Transformer robot, a malware test app sneaked through Apple's review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS "sandbox" designed to isolate apps and data from each other.

The app, dubbed Jekyll, was helped by Apple's review process. The malware designers, a research team from Georgia Institute of Technology's Information Security Center (GTISC), were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn't anywhere near long enough to discover Jekyll's deceitful nature.

RELATED:Malicious power-charger can infect Apple iOS devices

The name is a reference to the 1886 novella by Robert Louis Stevenson, called "The Strange Case of Dr Jekyll and Mr Hyde." The story is about the two personalities within Dr. Henry Jekyll: one good, but the other, which manifests as Edward Hyde, deeply evil.

Jekyll's design involves more than simply hiding the offending code under legitimate behaviors. Jekyll was designed to later re-arrange its components to create new functions that couldn't have been detected by the app review. It also directed Apple's default Safari browser to reach out for new malware from specific Websites created for that purpose.

"Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps all without the user's knowledge," says Tielei Wang, in a July 31 press release by Georgia Tech. http://www.gatech.edu/newsroom/release.html?nid=225501 Wang led the Jekyll development team at GTISC; also part of the team was Long Lu, a Stony Brook University security researcher.

Some blogs and technology sites picked up on the press release in early August. But wider awareness of Jekyll, and its implications, seems to have been sparked by an August 15 online story in the MIT Technology Review, by Dave Talbot, who interviewed Long Lu for a more detailed account.

Jekyll "even provided a way to magnify its effects, because it could direct Safari, Apple's default browser, to a website with more malware," Talbot wrote.

A form of Trojan Horse malware, the recreated Jekyll, once downloaded, reaches out to the attack designers for instructions. "The app did a phone-home when it was installed, asking for commands," Lu explained. "This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed."

Sandboxing is a fundamental tenant of secure operating systems, intended to insulate apps and their associated data from each other, and avoid the very attacks and activities that Jekyll was able to carry off. It's also explicitly used as a technique for detecting malware by running code in a protected space where it can be automatically analyzed for traits indicative of a malicious activity. The problem is that attackers are well aware of sandboxing and are working to exploit existing blind spots. [See "Malware-detecting 'sandboxing' technology no silver bullet"

"The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says," according to Talbot's account. "During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm."

"The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen," Lu says.

The results of the new attack, in a paper titles "Jekyll on iOS: when benign apps become evil," was scheduled to be presented in a talk last Friday at the 22nd Usenix Security Symposium, in Washington, D.C. The full paper is available online. In addition to Wang and Lu, the other co-authors are Kangjie Lu, Simon Chung, and Wenke Lee, all with Georgia Tech.

Apple spokesman Tom Neumayr said that Apple "some changes to its iOS mobile operating system in response to issues identified in the paper," according to Talbot. "Neumayr would not comment on the app-review process."

Oddly the same July 31 Georgia Tech press release that revealed Jekyll also revealed a second attack vector against iOS devices, via a custom built hardware device masquerading as a USB charger. Malware in the charger was injected into an iOS device. This exploit, presented at the recent Black Hat Conference, was widely covered (including by Network World's Layer8 blog) while Jekyll was largely overlooked.

John Cox covers wireless networking and mobile computing for "Network World."

Twitter: http://twitter.com/johnwcoxnww

Email: john_cox@nww.com

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags NetworkingJekyll iossmartphonesGeorgia TechwirelessApple securityApple iOSanti-malwareAppleconsumer electronicsGeorgia Institute of Technologysecurity

More about AppleGeorgia Institute of TechnologyMITTechnologyWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Cox

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts