Acting like a software version of a Transformer robot, a malware test app sneaked through Apple’s review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS “sandbox” designed to isolate apps and data from each other.
The app, dubbed Jekyll, was helped by Apple’s review process. The malware designers, a research team from Georgia Institute of Technology’s Information Security Center (GTISC), were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn’t anywhere near long enough to discover Jekyll’s deceitful nature.
The name is a reference to the 1886 novella by Robert Louis Stevenson, called “The Strange Case of Dr Jekyll and Mr Hyde.” The story is about the two personalities within Dr. Henry Jekyll: one good, but the other, which manifests as Edward Hyde, deeply evil.
Jekyll’s design involves more than simply hiding the offending code under legitimate behaviours. Jekyll was designed to later re-arrange its components to create new functions that couldn’t have been detected by the app review. It also directed Apple’s default Safari browser to reach out for new malware from specific Websites created for that purpose.
“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge,” says Tielei Wang, in a July 31 press release by Georgia Tech. Wang led the Jekyll development team at GTISC; also part of the team was Long Lu, a Stony Brook University security researcher.
Some blogs and technology sites picked up on the press release in early August. But wider awareness of Jekyll, and its implications, seems to have been sparked by an August 15 online story in the MIT Technology Review, by Dave Talbot, who interviewed Long Lu for a more detailed account.
Jekyll “even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware,” Talbot wrote.
A form of Trojan Horse malware, the recreated Jekyll, once downloaded, reaches out to the attack designers for instructions. “The app did a phone-home when it was installed, asking for commands,” Lu explained. “This gave us the ability to generate new behavior of the logic of that app which was non-existent when it was installed.”
Sand-boxing is a fundamental tenant of secure operating systems, intended to insulate apps and their associated data from each other, and avoid the very attacks and activities that Jekyll was able to carry off. It’s also explicitly used as a technique for detecting malware by running code in a protected space where it can be automatically analysed for traits indicative of a malicious activity. The problem is that attackers are well aware of sand-boxing and are working to exploit existing blind spots.
“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says,” according to Talbot’s account. “During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.”
“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says.
The results of the new attack, in a paper titles “Jekyll on iOS: when benign apps become evil,” was scheduled to be presented in a talk last Friday at the 22nd Usenix Security Symposium, in Washington, D.C. The full paper is available online. In addition to Wang and Lu, the other co-authors are Kangjie Lu, Simon Chung, and Wenke Lee, all with Georgia Tech.
Apple spokesman Tom Neumayr said that Apple “some changes to its iOS mobile operating system in response to issues identified in the paper,” according to Talbot. “Neumayr would not comment on the app-review process.”
Oddly the same July 31 Georgia Tech press release that revealed Jekyll also revealed a second attack vector against iOS devices, via a custom built hardware device masquerading as a USB charger. Malware in the charger was injected into an iOS device. This exploit, presented at the recent Black Hat Conference, was widely covered (including by Network World’s Layer8 blog) while Jekyll was largely overlooked.