CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Hide Android Applications in Image Files

AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.

AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.

Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file.

 In a real attack leveraging this method, the attacker sends an application containing an image to the potential victim. When the app is launched, the victim only sees the harmless-looking image. In the background however, a malicious payload is installed onto the victim’s Android device.

 In order to hide the installation of the malicious payload, the attacker can leverage the DexClassLoader constructor, the experts said.

According to the researchers, the method works on Android 4.4.2 and prior versions of the operating system. Google developed a fix for the flaw back in June, but Apvrille told SecurityWeek in an interview that the fix is incomplete. The researchers have informed Google of this and the company is now working on a more efficient fix.

How does it work?

The attacker writes his malicious payload and encrypts it to make it look like a valid PNG image file. The encryption is done with AngeCryption, an application developed by the researchers.

Advertisement. Scroll to continue reading.

Controlling AES encryption can be a difficult task, but AngeCryption is designed to encrypt the APK so that Android doesn’t see any difference. Furthermore, the resulting image looks normal to users, except for the fact that it’s 500Kb in size, which is a bit much for a small resolution image.

The final step is to create a wrapping APK in which the malicious PNG is inserted, and then decrypted and installed.

When Android APKs are written, they must end with an End of Central Directory (EOCD) marker. The researchers managed to add their specially crafted PNG file to the APK by appending it after the first EOCD and adding a second EOCD at the end.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.