Some researchers at Georgia Tech managed to get a malicious app through Apple’s approval process and into the App Store.
They didn’t use it for anything that would harm others, they just downloaded it onto a test device and were able to compromise the phone’s security.
The malware was able to tweet, sent texts and emails and do a variety of other things to the phone that could be used against the owner. It could even redirect Safari to a website with more malware.
Here’s a portion of the report:
The team said that using monitoring code built into the app, they determined that Apple’s app approval team only ran the app for a few seconds and that malicious code was not discovered by Apple’s team. “The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen.”
Apple did respond that it had made changes to iOS in response to the paper, but didn’t specify.