Researchers slip malware onto Apple's App Store, again
Georgia Tech security researchers this week noted they managed to successfully slip some malware onto the App Store in May.
Researchers have once again pulled a fast one on Apple's app approval process, getting malware onto the App Store to prove it's still a possibility.
A group of researchers from Georgia Tech developed an app that masqueraded as a news reader that would phone home to reprogram itself into malware -- something that was apparently not picked up in Apple's security screening procedures, reports the MIT Technology Review.
Once configured remotely, the software was able to do things like send texts, e-mails, post Tweets, take pictures, dial phone numbers, and even reboot the system.
Apple only ran the app for a few seconds during its testing process, the researchers said. And once published to the App Store, the researchers quickly removed it after they were able to successfully install it on their phones.
The methodology and results of the test, which occurred in March, were published this week at the UNSENIX Security Symposium in Washington, D.C.
Apple told the Technology Review it has changed its iOS security since learning of the vulnerabilities detailed in the research, though it's unclear if anything's changed in the company's app screening process.
This isn't the first time a researcher has slipped malware onto the App Store to prove a point. Charlie Miller, a well-known security researcher (and) who targeted Apple's products and services for years, did the very same thing in 2011. Miller released a generic stock-checking app called InstaStock that could tap into his own server and grab bits of code. The behavior was from Apple's developer program, per the company's App Store guidelines.
Apple has long touted the security of the App Store, with executives going so far as to bash competitors for it. On the eve of Samsung's Galaxy S4 announcement in March, Apple marketing chief Phil Schiller while linking to a report from F-Secure which focused on the rise of Android security threats. Schiller also gave interviews to Reuters and The Wall Street Journal knocking other aspects of the Android platform.
You can read the full paper here (PDF).