X

Researchers slip malware onto Apple's App Store, again

Georgia Tech security researchers this week noted they managed to successfully slip some malware onto the App Store in May.

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
See full bio
Josh Lowensohn
2 min read
Josh Lowensohn/CNET

Researchers have once again pulled a fast one on Apple's app approval process, getting malware onto the App Store to prove it's still a possibility.

A group of researchers from Georgia Tech developed an app that masqueraded as a news reader that would phone home to reprogram itself into malware -- something that was apparently not picked up in Apple's security screening procedures, reports the MIT Technology Review.

Once configured remotely, the software was able to do things like send texts, e-mails, post Tweets, take pictures, dial phone numbers, and even reboot the system.

Apple only ran the app for a few seconds during its testing process, the researchers said. And once published to the App Store, the researchers quickly removed it after they were able to successfully install it on their phones.

The methodology and results of the test, which occurred in March, were published this week at the UNSENIX Security Symposium in Washington, D.C.

Apple told the Technology Review it has changed its iOS security since learning of the vulnerabilities detailed in the research, though it's unclear if anything's changed in the company's app screening process.

Georgia Tech

This isn't the first time a researcher has slipped malware onto the App Store to prove a point. Charlie Miller, a well-known security researcher (and now Twitter employee) who targeted Apple's products and services for years, did the very same thing in 2011. Miller released a generic stock-checking app called InstaStock that could tap into his own server and grab bits of code. The behavior was grounds for dismissal from Apple's developer program, per the company's App Store guidelines.

Apple has long touted the security of the App Store, with executives going so far as to bash competitors for it. On the eve of Samsung's Galaxy S4 announcement in March, Apple marketing chief Phil Schiller tweeted "Be safe out there"while linking to a report from F-Secure which focused on the rise of Android security threats. Schiller also gave interviews to Reuters and The Wall Street Journal knocking other aspects of the Android platform.

You can read the full paper here (PDF).

(Via MacRumors)