Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Hide Android Applications in Image Files

AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.

AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.

Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file.

 In a real attack leveraging this method, the attacker sends an application containing an image to the potential victim. When the app is launched, the victim only sees the harmless-looking image. In the background however, a malicious payload is installed onto the victim’s Android device.

 In order to hide the installation of the malicious payload, the attacker can leverage the DexClassLoader constructor, the experts said.

According to the researchers, the method works on Android 4.4.2 and prior versions of the operating system. Google developed a fix for the flaw back in June, but Apvrille told SecurityWeek in an interview that the fix is incomplete. The researchers have informed Google of this and the company is now working on a more efficient fix.

How does it work?

The attacker writes his malicious payload and encrypts it to make it look like a valid PNG image file. The encryption is done with AngeCryption, an application developed by the researchers.

Advertisement. Scroll to continue reading.

Controlling AES encryption can be a difficult task, but AngeCryption is designed to encrypt the APK so that Android doesn’t see any difference. Furthermore, the resulting image looks normal to users, except for the fact that it’s 500Kb in size, which is a bit much for a small resolution image.

The final step is to create a wrapping APK in which the malicious PNG is inserted, and then decrypted and installed.

When Android APKs are written, they must end with an End of Central Directory (EOCD) marker. The researchers managed to add their specially crafted PNG file to the APK by appending it after the first EOCD and adding a second EOCD at the end.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.