Computer scientists say they found a way to sneak malicious programs into Apple's exclusive app store without being detected by the mandatory review process that's supposed to automatically flag such apps.

The researchers from the Georgia Institute of Technology used the technique to create what appeared to be a harmless app that Apple reviewers accepted into the iOS app store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled "Jekyll," worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors.

"Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process," the researchers wrote in a paper titled Jekyll on iOS: When Benign Apps Become Evil. "Once the app passes the review and is installed on an end user's device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval."

Apple representatives didn't immediately respond to a request for comment, but company spokesman Tom Neumayr told MIT Technology Review that developers have made changes to the iOS operating system in response to issues identified in the paper. It remains unclear if the vulnerabilities have been completely fixed.

The Jekyll app was only active for a few minutes following its launch in March, and during that time it wasn't installed by anyone not involved in the experiment, the researchers said. The app had the ability to carry out a variety of malicious attacks, including stealthily sending tweets, e-mails, and text messages, stealing device ID numbers, taking photos, and attacking other apps. The app could also cause Apple's Safari browser to load booby-trapped websites.

"Such a seemingly benign app can pass the app review because it neither violates any rules imposed by Apple nor contains functional malice," the researchers wrote. "However, when a victim downloads and runs the app, attackers can remotely exploit the planted vulnerabilities and in turn assemble the gadgets to accomplish various malicious tasks."

The attack described by the researchers in some ways resembles an exploit that allows hackers to inject malicious code into legitimate Android apps without invalidating their digital signature. The so-called "master-key vulnerability" was also discovered by white-hat researchers, but it's now being exploited in some third-party marketplaces.