Another researcher at Georgia Tech has found a way to bypass Apple security measures and install malware on the iPhone-iPad maker’s devices, the university said this week.
The scientist, Tielei Wang of Tech’s Information Security Center, was able to install an app with Trojan horse-style features that eluded Apple’s app review process, the school said.
In June, a team led by ISC scientist Billy Lau said it was able to bypass security features that protect Apple devices from viruses and other malware by using a “malicious charger.”
“The goal is to identify weakness in order to expose those weaknesses to companies and to users so their devices can be more secure,” said Michaelanne Dye, a spokeswoman for Tech’s College of Computing.
Lau’s findings were presented this week at the Black Hat USA 2013 technology conference in Las Vegas. Wang’s findings will be presented at the 2013 USENIX Security Symposium Aug. 14-16 in Washington.
Dye said researchers focused on Apple devices because the Cupertino, Calif.-based company takes apps through a stringent review process before making them available at its online App Store. “There is an ongoing effort to explore security weaknesses across all types of technologies,” she said.
According to Tech, once Wang’s app successfully got past Apple screening, he was able to carry out malicious tasks. The app, however, never made it to the App Store.
“We were able to successfully publish a malicious app and use it to remotely launch attacks on a controlled group of devices,” Wang said in a statement. He said the Jekyll-based app was able to post tweets, take photos, send email and text messages, and attack other apps “all without the user’s knowledge.”
Tech said Lau was able to construct a malicious charger that resembles an iPhone or iPad charger, but once plugged into a device using Apple’s iOS operating system the device was able to install a malicious app — within a minute of being plugged in.
Apple did not immediately return a call seeking comment.
Tech broke the news on Lau’s findings two months ago, but the researchers didn’t provide more details until the Black Hat conference. In response to Lau’s discovery, Apple has included an iOS.7 operating system feature that alerts users when they plug their mobile device into any peripheral that attempts to establish a data connection.
Apple is still working to address the ability to install Wang’s malicious app, Tech said.