Apple’s App Store is renowned for its security—but even Apple is inadvertently allowing a small handful of malicious apps to sneak through its screening process and onto some people’s phones, new research shows. The good news is that the researchers involved, who published their findings on 31 October in IEEE Transactions on Dependable and Secure Computing, have also uncovered a way to detect these Trojan horses.
Thanks to strict guidelines and bans on certain practices that facilitate the spread of malicious apps, the vast majority of apps in Apple’s App Store are safe. However, some malicious apps are still making their way through the screening process by exhibiting one user interface while harboring a second, malicious user interface.
“[These apps] display a benign user interface under Apple’s review but reveal their hidden, harmful user interfaces after being installed on users’ devices,” explains Yeonjoon Lee, a researcher at Hanyang University who was involved in the study.
After the app is downloaded, the hidden user interface can be triggered by a certain condition—for example, by a command sent by the app’s creator to activate it. These so-called “Chameleon apps” can be used for many purposes, such as pushing through unauthorized content or collecting sensitive information from users’ phones.
The team’s new tool, called CHAMELEON-HUNTER, analyzes the coding of apps. They tested the tool against more than 28,000 apps in the App Store over a six-month period, cross-referencing each app's behavior by installing the app in two different environments: in a controlled environment which mimics app vetting and on a normal phone. This revealed 142 malicious apps.
Of these 142 Chameleons, 58 were designed to deliver unauthorized content; 38 were used as malicious crowdsourcing platforms; 14 were designed to collect sensitive information; and 11 were intended to spread fake news. Interestingly, some apps that facilitate ad fraud, for example by increasing the amount of time certain ads are played, were also detected.
During the six-month period of analysis, the researchers estimate that the probability of an app in the App Store being a Chameleon is as high as 0.8 percent. Surprisingly, some of these apps made their way into the top 100 rankings for their respective categories. Apple does not share the exact number of downloads for each app, however.
CHAMELEON-HUNTER relies on two techniques for detection. The first technique takes advantage of the fact that there are multiple user interfaces present; by analyzing the hierarchy of coding for these user interfaces, it’s possible to detect a Chameleon app.
The other technique analyzes the semantics (or wording) within the app’s code, searching for unusual phrases. For example, it would raise suspicion to find words like “money” or “lottery” in coding that is meant to be for a music app.
While CHAMELEON-HUNTER successfully revealed a number of malicious apps (many of which have since been removed by Apple), the tool does have limitations. “Our approach is only useful when the hidden user interfaces are already embedded in the app. However, there are other approaches adversaries can utilize to introduce hidden user interfaces,” explains Xueqiang Wang, a researcher at Indiana University who was involved in the study.
Next, the team plans to detect malicious apps that rely on a more complicated technique called dynamic code loading; as well, they plan to devise ways to detect apps that target specific activities, such as collecting health data, rather than searching for generally suspicious activity.