Malicious Jekyll App Sneaks into Apple's Walled Garden, Doubts Raised About Vetting Process

It's not too hard to slip a bug into Apples iOS walled garden, according to researchers at Georgia Tech, who managed to slip a malicious app into the Apple App Store undetected. The research team's success now calls into question Apple's undisclosed app vetting system.

The malware, appropriately called "Jekyll" by the research team at the Georgia Institute of Technology, was designed to look like a respectable app through Apple's review process, only turning malicious after its installed on an iOS device. In this case, the malicious code went in the guise of a Georgia Tech news app.

To get Apple's approval and be placed in the App Store, every app must go through a mandatory review and code signing mechanisms. Jekyll contained code fragments that later assembled into a bunch of malicious code after being activated remotely. "The app did a phone-home when it was installed, asking for commands," said Long Lu, a member of the research team to MIT Technology Review. "This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed."

Back in the day, we had some software that monitored mainframe performance. It had to be very efficient because you don't want to impact the performance of the system you are monitoring. Unfortunately, the information available from the OS was very arcane to wade through at runtime....to get at over 2000 metrics each 15s monitoring interval, you had to request the latest stats buffer from the OS and indirectly go through various links and references...from 6 to 12 references deep....to find the data for the particular metric. Even with assembler, that was too much overhead.

Our solution was the following: at startup, we requested the buffer initially, found the locations for each metric for that particular OS configuration, and rewrote the instructions to acces each in a DBank (data banks were modifiable; IBanks — instruction banks — we're not). When we were done, we deleted the old IBank, changed the DBank to mark it as an IBank, and the rest was history.

Extremely efficient. Our competitor's performance could come close. Looking back, and if we had wanted to be malicious, we could have done whatever we wanted, as the privileges to obtain those metrics already meant we had access to anything.

This was 30 years ago. Nothing new under the sun.

Kids today think they are doing things for the first time. Heh.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.