Proof-of-concept app brings malware to Apple App Store, developer gets banished from the orchard

Malware isn’t new to iOS (nor to its competition, for that matter). However, in the past malware on iOS has targeted jailbroken devices, the devices that bypass Apple security and download third-party apps not vetted by Apple. Not anymore; things are a changin’. A veteran white hat has exploited a bug in iOS to successfully introduce malware to Apple App Store via a proof-of-concept app.

Charlie Miller, an (in)famous hacker of all things Apple, has exploited a bug in iOS 4.3+ that deals with Apple’s restrictions on code signing (the way Apple ensures only apps they approve are allowed to run on iDevices… unless you jailbreak, of course). Using this vulnerability, Miller has developed a proof-of-concept app that goes by the name of Instastock. Instastock is a seemingly harmless stocks ticker app; however embedded beneath the glamor – or lack thereof – is what one can essentially call a trojan.

Once Instastock is installed on a device, the app calls home to Miller’s server allowing Miller to run any commands he wants on the infected iPhone; using these commands, Miller can steal data (photos, contacts, etc.), modify device settings, make the phone vibrate, etc. (It is unclear if this vulnerability is only on iPhone or other iDevices also.) The following video demonstrates Instastock in action:

Exploiting a bug on iPhone is nothing new. There have been security vulnerabilities in the past, there are currently, and there will be some in the future. (Otherwise no one would be able to jailbreak.) The new development is the fact that this vulnerability went completely undetected by Apple, allowing a malware infested app to appear in Apple App Store. Yes, Instastock was submitted to Apple App Store and it was approved; it has, however, been pulled since the news of this broke out.

Lucky for Apple, Miller is a white hat. He is very active in reporting bugs to Apple and has reported this exploit to them, too. He is even waiting until the SysCan conference in Taiwan next week to reveal the fine details about this exploit, to give Apple more time to patch it. To thank Miller for his service, Apple terminated Miller’s developer license. Really, Apple? Really? Technically, Miller did violate the developer agreement, which states a developer cannot “hide, misrepresent or obscure” any part of an app, but still; banning a researcher for helping you do your job is just down right rude.

Nothing like a good Apple bashing to brighten up my week. I kid, I kid. Semi-kid anyway.

[via Forbes]

Related Posts

  • sunrise

    maybe Apple terminated his license but come with work agreement?
    Hope so :)

  • Philippe

    Developers find and use some securities bugs, but don’t say any thing. After a few millions of devices being hacked, Apple decide to fix the problem. Nice…. I stick with Android.

  • Ashraf

    @Prema: Yeah, editing function is broken.

    In response to your comment about he should have told Apple first:
    a) I think he did;
    b) I think the whole point of this was to prove he could get it on Apple App Store otherwise it would be as significant of a find (it would still be important, just not as important).

    Glad you like the article!

    @david roper: That. I am no Apple hater but fanboyism just pisses me off.

    @TechLogon: I think it was just a knee-jerk reaction from Apple. I am sure they will give him his account back. I hope so, anyway. You don’t want to alienate researchers, especially ones as skilled as this guy.

  • Google pay bounties for bugs found in Chrome, Apple blame the messenger, sigh… Stories like this make it so hard not to Apple bash.

    Follows on from the recent SSL cert hacks when Apple wouldn’t patch Safari in OS X until looong after the other browsers, and fanboys reckon they care about security?

  • david roper


    Nothing like wiping the smugness off the face of Apple users… Just Sayin’

  • 2 things:
    1 [unrelated] but is it just me or can i not edit a comment after posting it? it could be my browser, but wanted to put it out there.

    2. [related to article]
    i read he didn’t have a researchers account, just a regular one, and he did hide it from apple… he should’ve sent it to apple first off, rather then hide it from them… I believe Apple is very strict when it comes to policies, so they had to do it.

    But nothing like a good read from Ashraf to brighten up my week. lol. great article!