Menu
New technique allows attackers to hide stealthy Android malware in images

New technique allows attackers to hide stealthy Android malware in images

The attack could be used to distribute malware through applications that appear harmless, researchers said

A new technique that allows attackers to hide encrypted malicious Android applications inside images could be used to evade detection by antivirus products and possibly Google Play's own malware scanner.

The attack was developed by Axelle Apvrille, a researcher at Fortinet, and reverse engineer Ange Albertini, who presented their proof-of-concept at the Black Hat Europe security conference in Amsterdam Thursday.

It's based on a technique devised by Albertini dubbed AngeCryption that allows controlling both the input and the output of a file encryption operation using the Advanced Encryption Standard (AES) by taking advantage of the properties of some file formats that allow files to remain valid despite having junk data appended to them.

AngeCryption, which was implemented as a Python script available for download on Google Code, allows the user to choose an input and an output file and makes the necessary modifications so that when the input file is encrypted with a specified key using AES in cipher-block chaining (CBC) mode, it produces the desired output file.

Apvrille and Albertini took the idea further and applied it to APK (Android application package) files. They created a proof-of-concept wrapping application that simply displays a PNG image of Star Wars character Anakin Skywalker. However, the app can also decrypt the image with a particular key in order to produce a second APK file that it can then install.

In the researchers' demonstration, the APK hidden inside the image was designed to display a picture of Darth Vader, but a real attacker could use a malicious application instead to steal text messages, photos, contacts, or other data.

During the demonstration, Android displayed a permission request when the wrapper application tried to install the decrypted APK file, but this can be bypassed using a method called DexClassLoader so that the user doesn't see anything, Apvrille said. The image wouldn't even have to be included in the wrapper application and could be downloaded from a remote server after installation, she said.

In order for the attack to work, some data needs to be appended at the end of the original application, but the APK format, which is derived from ZIP, does not allow appended data after a marker called the End of Central Directory (EOCD), which signals the end of the file.

However, the researchers found that adding a second EOCD after the appended data tricks Android into accepting the file as valid. According to Apvrille, this should not happen and is the result of an error in Android's APK parser.

The attack works on Android 4.4.2, the latest version of the OS, but the Android security team has been notified and is developing a fix, Apvrille said.

Because of fragmentation in the Android ecosystem, especially when it comes to firmware updates, many devices will likely remain vulnerable to this attack for a long time, giving Android malware authors ample time to take advantage of it.

The situation with the distribution of Android security updates is better than it was three years ago, but this vulnerability will probably remain active on many phones for one or two years, Apvrille said.

The researchers released their proof-of-concept code on Github following their presentation Thursday and will also publish a paper.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags FortinetGooglesecuritymobile securityencryptionExploits / vulnerabilitiesmalware

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments