Malware isn’t new to iOS (nor to its competition, for that matter). However, in the past malware on iOS has targeted jailbroken devices, the devices that bypass Apple security and download third-party apps not vetted by Apple. Not anymore; things are a changin’. A veteran white hat has exploited a bug in iOS to successfully introduce malware to Apple App Store via a proof-of-concept app.
Charlie Miller, an (in)famous hacker of all things Apple, has exploited a bug in iOS 4.3+ that deals with Apple’s restrictions on code signing (the way Apple ensures only apps they approve are allowed to run on iDevices… unless you jailbreak, of course). Using this vulnerability, Miller has developed a proof-of-concept app that goes by the name of Instastock. Instastock is a seemingly harmless stocks ticker app; however embedded beneath the glamor – or lack thereof – is what one can essentially call a trojan.
Once Instastock is installed on a device, the app calls home to Miller’s server allowing Miller to run any commands he wants on the infected iPhone; using these commands, Miller can steal data (photos, contacts, etc.), modify device settings, make the phone vibrate, etc. (It is unclear if this vulnerability is only on iPhone or other iDevices also.) The following video demonstrates Instastock in action:
Exploiting a bug on iPhone is nothing new. There have been security vulnerabilities in the past, there are currently, and there will be some in the future. (Otherwise no one would be able to jailbreak.) The new development is the fact that this vulnerability went completely undetected by Apple, allowing a malware infested app to appear in Apple App Store. Yes, Instastock was submitted to Apple App Store and it was approved; it has, however, been pulled since the news of this broke out.
Lucky for Apple, Miller is a white hat. He is very active in reporting bugs to Apple and has reported this exploit to them, too. He is even waiting until the SysCan conference in Taiwan next week to reveal the fine details about this exploit, to give Apple more time to patch it. To thank Miller for his service, Apple terminated Miller’s developer license. Really, Apple? Really? Technically, Miller did violate the developer agreement, which states a developer cannot “hide, misrepresent or obscure” any part of an app, but still; banning a researcher for helping you do your job is just down right rude.
Nothing like a good Apple bashing to brighten up my week. I kid, I kid. Semi-kid anyway.