Malicious code can be surreptitiously planted on the Apple App Store and then downloaded by iOS devices, researchers have shown at BlackHat in Las Vegas, where they also showed how a bespoke charger could be used to hack an iPhone.
Like polymorphic malware, the “Jekyll” proof-of-concept code introduces new functionality that is not checked during Apple’s approval process.
“We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices,” said Tielei Wang, a researcher at the Georgia Tech Information Security Center (GTISC).
“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge.”
SOURCE: techweekeurope.co.uk
