Submission + - Apple CORED: Boffins reveal password-killer 0days for iOS and OS X (theregister.co.uk)
The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts that could raid the keychain to steal passwords for services including iCloud and the Mail app, and all those store within Google Chrome.
Lead researcher Luyi Xing says he and his team complied with Apple's request to withhold publication of the research for six months, but had not heard back as of the time of writing. [Paper] [video demos]