Malicious applications capable of taking control of an iPhone to use the camera, send tweets and steal information, can be smuggled through Apple's App Store approval process undetected.
The flaw, which contributes to the creation of so-called "Jekyll apps" was discovered by a team of researchers at the Georgia Institute of Technology and published in a 15-page report.
Described as a "novel method that fundamentally defeats" the safety mechanisms used by the App Store to stop malicious software reaching users' iPhones, the method allows attackers to "reliably hide" malicious behaviour in mundane-looking applications.
"Once the app passes the review and is installed on an end user's' device, it can be instructed to carry out the intended attacks," the five-member team explained.
The key to Jekyll apps is to leave them part-finished so any malicious behaviour is not detected by Apple's approval system. Once installed, an attacker then sends commands to the applications, injecting the missing code required to make them work. Apple does not check an application's behaviour once it is installed so this process goes unnoticed by both the iPhone manufacturer and its user.
"We implemented a proof-of-concept Jekyll app and successfully published it in App Store," the report's authors said.
"We remotely launched the attacks on a controlled group of devices that installed the app. The results showed that Jekyll apps can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities."
To create a Jekyll app, the programmer deliberately writes vulnerabilities into the app, which he can then exploit to inject extra code and change the app's behaviour beyond the control of Apple and the user. The experiment was based on an open source news app called News:yc, which was modified to include the vulnerabilities.
Apple approved the app for use in the App Store in March and it was live long enough for the team to download it to their own devices; the app was then quickly removed by the team to avoid anyone else downloading it.
"We have data to show that only our testing devices installed the app," the team said, adding they had "made a full disclosure of our attack to Apple..
An Apple spokesman told MIT Technology Review, that changes had been made to iOS in response to the report.