New Technique Allows Attackers to Hide Malicious Encrypted Android Apps Inside Images

by Istvan Fekete on October 21, 2014

Researchers have uncovered a new technique that allows attackers to hide malicious encrypted Android apps inside images to evade detection by antivirus products and possibly Google Play’s own malware scanner.

The developers demonstrating the attack are Axelle Apvrille, a researcher at Fortinet, and reverse engineer Ange Albertini, who presented their proof-of-concept at the Black Hat Europe security conference in Amsterdam last week.

The malware attack is based on a technique invented by Albertini, which he has named AngeCryption. The technique gives hackers control of both the input and the output of file encryption using the Advanced Encryption Standard (AES) by taking advantage of the properties of some file formats and allowing files to remain valid, despite their incorporating junk files.

To achieve this result, the two developers who uncovered this major Android security flaw simply took the AngeCryption Python script (available for download from Google Code) and applied it to Android application package files.

The base functionality of the Python script allows the user to choose an input and an output, and make the necessary modifications so that when the input file is encrypted with a specific key, the result should be the desired output file.

By applying this idea to APK files, the developers found that they can hide malicious code inside a PNG image (for example): the proof-of-concept application shows an image of Star Wars character Anakin Skywalker, but upon installation the app produced a second APK file that, in their case, was a picture of Darth Vader.

So, in the end, the hacker can use this trick to install malicious apps that could steal text messages, photos, contacts, and other sensitive data.

This isn’t the first report of an Android security vulnerability and won’t be the last. A recent F-Secure report emphasized that 98% of mobile malware targets the Android platform.

Did you like this post? publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. Follow by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: