Researchers manage to get malware published in Apple's iOS App Store

While the posting of malware remains a rare occurrence on Apple's iOS App Store, a team of security researchers figured out a way to get a malicious piece of software past Apple's certification team. The team from Georgia Tech said that the app was approved and published by Apple in March but was only live for a few minutes and no innocent victims downloaded the software.

The MIT Technology Review states that on the surface, the app was supposed to offer news from Georgia Tech. In reality, it contained code that was broken into pieces at first that later assembled to turn into the malware threat. Among other things, it was capable of stealing personal information and device ID numbers from iPhones and iPads and could even attack other apps.

The researchers determined that the malware was scanned by Apple's team for only a few seconds before it was approved and published. Because the code was fragmented, it's likely that Apple's malware prevention methods would not have detected the threat.

The team presented their findings in a research paper in Washington, D.C on Friday. An Apple spokesperson said that the company has made some changes to their iOS approval process due to the information in the paper but did not reveal specifics. Marc Rogers, a principal researcher at the mobile security firm Lookout, points out that the malware method created by the George Tech team could be used by any operating system.

Source: MIT Technology Review | Image via Apple

Report a problem with article
Previous Story

ZTE begins selling brand new Firefox OS handsets on eBay

Next Story

Google's 5-minute outage means $545,000 revenue loss, 40% drop in global website traffic

40 Comments

Commenting is disabled on this article.

How would they make any of that extra money if they turned away ALL the baddies?

Exactly why I don't even need a phone like that!

If any of you have noticed, with all of the Android malwares out there, you hardly hear anything bad about it other than it is out there. I think this is because majority of the consumers don't uses their smartphone to its full potential. This could be a good thing because they're not spreading the problem, and as long that they have Facebook, Instagram, Vine, access to email and the web, text messages, they are ok with it, they're happy.

I'd rather have adware, viruses, malware than be inside a pretty garden wall where nothing goes wrong and only what they decide is fine goes in. Haven't used the play store in ages, everything I get comes from other sources.

laz45 said,

and just like on a computer I've had 0 problems

So you think. If you don't care about security, that is your problem.
Stop bragging about it so other people will get the same idea... security is not required.

You are also aware that most people that think they have no security issues with malware or whatever, are the biggest contributors to botnets and the like?

And a phone is usually more personal then a computer. Storing all your personal contact information, receive confirmation codes by text message, receive security breaches by text message....

If your phone and your computer is breached by your pointless attitude, you have NO idea of knowing whether malware got to you or not.

laz45 said,
Haven't used the play store in ages, everything I get comes from other sources.

Which means you're far more susceptible to malware than those who just use the Play store.

Shadowzz said,

So you think. If you don't care about security, that is your problem.
Stop bragging about it so other people will get the same idea... security is not required.

You are also aware that most people that think they have no security issues with malware or whatever, are the biggest contributors to botnets and the like?

And a phone is usually more personal then a computer. Storing all your personal contact information, receive confirmation codes by text message, receive security breaches by text message....

If your phone and your computer is breached by your pointless attitude, you have NO idea of knowing whether malware got to you or not.


You just have to be smart about it, I only download things from reputable 3rd party places and make sure others have had no problems with it. I used to have botnets back in the day so I know a lot about them I guess more than the average person so that helps me avoid them. One more thing, if you read what kind of permissions the app is asking for it will also help you detect to see if its a bad app.

FloatingFatMan said,

Which means you're far more susceptible to malware than those who just use the Play store.


True, I don't dispute that but if you practice app safety you should be fine like reading permissions, downloading apps with high ratings and good comments, not downloading "Mobile Minecraft xOx1337xOx Edition!" and other steps mixed in then you should be fine.

Unless you're actively monitoring all your internet traffic, active processes and loaded DLL's 24/7, how do you know you're not infected?
I don't even claim I'm not infected, and I also had access to 'fancy' botnets in the past (be it they were mainly cisco routers), I wrote some malware back when I still was in school. And I run an Antivirus, have a firewall on my system and a firewall on the router.
So far I know nothing about any malware for WP8, but I still refuse to do my banking on my phone cause... there is still a risk.
And reading permissions isn't everything, there have been apps in the playstore who exploited the permission system and looked fairly legit. With all the random developer/company names you see.... it isn't the easiest to spot them in advanced.
But keep acting as such, and most of all, keep spreading your word of "I don't have any malware issues"....... If you know security, you also know that its usually the people that claim such, that are themselves infected.

Shadowzz said,
Unless you're actively monitoring all your internet traffic, active processes and loaded DLL's 24/7, how do you know you're not infected?
I don't even claim I'm not infected, and I also had access to 'fancy' botnets in the past (be it they were mainly cisco routers), I wrote some malware back when I still was in school. And I run an Antivirus, have a firewall on my system and a firewall on the router.
So far I know nothing about any malware for WP8, but I still refuse to do my banking on my phone cause... there is still a risk.
And reading permissions isn't everything, there have been apps in the playstore who exploited the permission system and looked fairly legit. With all the random developer/company names you see.... it isn't the easiest to spot them in advanced.
But keep acting as such, and most of all, keep spreading your word of "I don't have any malware issues"....... If you know security, you also know that its usually the people that claim such, that are themselves infected.

Any tests you want me to run?

Considering the 1000's of Apps that Apple must process every day I am surprised that this has not happened before. This is the problem managing the most popular App store on the planet.

derekaw said,
Considering the 1000's of Apps that Apple must process every day I am surprised that this has not happened before. This is the problem managing the most popular App store on the planet.

I'm sure it happened before but this is the first time the 'good guys' tried it.

Not that I'm suprised by this. It's just harder to bring malware into the appstore and Windows Store then it is to get it into the Play store.

Ronnet said,
I'm sure it happened before but this is the first time the 'good guys' tried it.

Not that I'm suprised by this. It's just harder to bring malware into the appstore and Windows Store then it is to get it into the Play store.

Before this, I think they had 2 issues total? Don't quote me on that though, but I only recall two slip ups prior. Still, that's a pretty amazing track record overall.

paulheu said,
.... the app would not be allowed out of the sandbox.

More succinctly it would not make it through the vetting process to wind up in the store in the first place.

Microsoft's automated code analysis engine is the best out there atm. 20 years of visual studio experience and owning the runtimes and compilers helps a lot.

Enron said,
Well they managed it once on iOS. Malware producers have managed it over 700,000 times on Android.

Not on the Play Store. APK's floating around on the internet != apps in the Play Store. And there's a difference between malware and adware.

Enron said,
Well they managed it once on iOS. Malware producers have managed it over 700,000 times on Android.

Blank said,
no one was ever under the delusion that iOS was un-malwarable (or whatever). There are just steps that Apple takes to try to make this very rare situation, and so far i'd say they've been very successful at doing so, even after this.

Ambroos said,

Not on the Play Store. APK's floating around on the internet != apps in the Play Store. And there's a difference between malware and adware.

I'm just glad as an iPhone, iPad, and OS X user, I don't have to experience these specific problems. Many of the situations that happen on Android are why I switched to iOS on the very first phone (well, only because I was on T-Mobile before I switched to Sprint).

Isn't Android based on the Linux Kernel? Which is why it's easier to trace vulnerabilities?

Mr.XXIV said,

I'm just glad as an iPhone, iPad, and OS X user, I don't have to experience these specific problems. Many of the situations that happen on Android are why I switched to iOS on the very first phone (well, only because I was on T-Mobile before I switched to Sprint).

As an Android / Windows user neither do I. Just use common sense when installing apps. Granted you could be a lot less careless about what you install on iOS which is great for the average person.

InsaneNutter said,

As an Android / Windows user neither do I. Just use common sense when installing apps. Granted you could be a lot less careless about what you install on iOS which is great for the average person.

Of course! Originally, what I couldn't have on Android was what was on iOS, like Nike+ FuelBand and Basketball. Heck, I can't organize everything I have on Android like I can with just iCloud and LastPass. People talk about features, but I look at the experience.

I know I'm going slightly off topic.

Ambroos said,

Not on the Play Store. APK's floating around on the internet != apps in the Play Store. And there's a difference between malware and adware.

For your own safety, I encourage you to NOT 'trust' the Play Store more than any other distribution outlet.

Mobius Enigma said,

For your own safety, I encourage you to NOT 'trust' the Play Store more than any other distribution outlet.


This, cause malware has been found plenty of times in the PlayStore. People denying this aren't helping ANYONE.

InsaneNutter said,

As an Android / Windows user neither do I. Just use common sense when installing apps. Granted you could be a lot less careless about what you install on iOS which is great for the average person.

The average person doesn't root their Android device, nor do they generally sideload apps or use alternative markets, so are relatively safe too.

FloatingFatMan said,

The average person doesn't root their Android device, nor do they generally sideload apps or use alternative markets, so are relatively safe too.


So you're claiming you can mindlessly download any app from the PlayStore without getting infected?
Stop acting like Android is perfectly save if you 'stick with the PlayStore'. It isn't. From the 3 major mobile OS's.... Android has had most malware in its store by a far stretch.
Ignore people who get infected by it and keep claiming Android is perfectly fine.
It's perfectly identical to the people that think they are save and think Antivirus or Firewalls on Windows is for chumps..... Sigh

Enron said,
Well they managed it once on iOS. Malware producers have managed it over 700,000 times on Android.
how u know therw arw other malware apps? This isnt the first time a malware app has been discovered in ios.