A Georgia Tech researcher has found a weakness in Apple’s iOS mobile platform that could let hackers to hide malicious code inside apps and can be surreptitiously planted on the Apple App Store.
Researchers team created a proof-of-concept attack that was published in the Apple App Store and used to remotely launch attacks on a controlled batch of devices, enabling them to post unauthorized tweets, take photos and even go after other apps.
“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps all without the user’s knowledge.”
Using a BeagleBoard, team created a USB malicious charger called Mactans that can install apps without user knowledge within a minute of being plugged in.
In one demonstration, the attacker was able to hide the iPhone Facebook application and install a malicious copy in its place. The malware executed its task, then launched the legitimate hidden copy of Facebook, leaving the user none the wiser.
Soon after the researchers reported the bug to Apple and they are fixing that flaw in iOS 7, that notifies users when they plug their mobile device into any peripheral that attempts to establish a data connection, and is working on ways to address the weaknesses revealed through Jekyll.