Connect with us

Hi, what are you looking for?


Mobile & Wireless

‘Jekyll’ and Hide: Researchers Sneak Malicious Apps into iOS Ecosystem

Researchers at the Georgia Institute of Technology have found a foolproof way to bypass Apple’s mandatory app review and code signing mechanisms to sneak a malicious app into the iOS ecosystem.

Researchers at the Georgia Institute of Technology have found a foolproof way to bypass Apple’s mandatory app review and code signing mechanisms to sneak a malicious app into the iOS ecosystem.

The researchers — Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee — created what initially appears to be a harmless app that easily gained Apple’s approval for entry into the iOS app store. Once the app is loaded in the App Store, it can then be tweaked remotely and instructed to do malicious things on the iOS device.

The trick, disclosed at this year’s USENIX Conference, is to make apps remotely exploitable and later introduce “malicious control flows by rearranging signed code.”

Because Apple does not review new control flows during the app verification process, the malicious nature of an app can stay undetected to bypass the company’s heralded security mechanisms.

The researchers showcased a proof-of-concept app, called Jekyll, that was approved for publication in the iOS app store. Once inside the Apple kingdom, the group remotely launched the attacks on devices that installed the app.

“The result shows that, despite running inside the iOS sandbox, Jekyll app can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities,” the researchers explained.

All these malicious tasks can be done even with the app running inside the iOS sandbox.

Advertisement. Scroll to continue reading.

The researchers note that the evasion trickery does not violate any rules imposed by Apple.

“Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice. However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks,” the group explained.

In the paper, the researchers also disclosed the discovery of private APIs in iOS that can be abused to send email and SMS and post Twitter messages without the user’s consent.

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.