Unsuspecting Android users could find malware wrapped in image files

Researchers have discovered a new technique which could allow malicious apps to be delivered to unsuspecting Android users via image files.

Fortinet malware researcher Axelle Apvrille and Corkami reverse engineer Ange Albertini devised a proof-of-concept (POC) attack and demonstrated it at last week’s Black Hat Europe conference in Amsterdam.

Using a custom tool developed by Albertini, dubbed AngeCryption, the pair were able to encrypt a payload Android application package (APK) and make it look like an image file (they used a PNG but other image file formats work just as well).

They then created a second APK which carried the ‘booby-trapped’ image. This second APK was not only wrapped around and hid the first, it also had the ability to decrypt and then install it.

In a paper accompanying the Black Hat talk the researchers wrote that “it is possible to encrypt any input into a chosen JPG or PNG image … the code is able to transform this unsuspicious image into another APK, carrying the malicious payload.” The paper goes on to say that “Static analysis, such as dis-assembly, of the wrapping APK does not reveal anything particular about that bytecode (apart if we undo the encryption packing).”

By tricking the Android app wrapping system in this way the duo were able to create a package that would likely evade detection and get past Google Play’s Bouncer, as well as security apps.

Apvrille and Albertinis’ testing revealed that the Android system did present a permission request when the legitimate wrapper file attempted to install the malicious APK but even that could be prevented by using DexClassLoader.

The pair also revealed how the attack could be implemented - the app in question can only be loaded if some data can be appended after the End of Central Directory (EOCD) zip marker - to achieve this they simply added another EOCD after the additional data.

The attack was found to work with the latest version of the Android operating system (4.2.2) but the pair’s responsible disclosure means the Android Security Team have been aware of the issue since 27 May, enabling them to create a fix which was made available on 6 June. Google’s solution prevents data being appended after EOCD but there is some doubt over whether it checks after the first instance. Thus the Android Security Team are continuing to look into the issue and further fixes may follow.

That said, the Android ecosystem is often not the quickest when it comes to disseminating security updates, and many users are either slow in installing them or choose not to do so, meaning many may be vulnerable to this type of attack for a while to come.

In the meantime, the researchers warn that there is no real way to detect what the payload APK does short of actually decrypting the image file. Their advice to security engineers is to keep a watchful eye on any apps that decrypt resources or assets, remembering that their POC could be obfuscated by an attacker.

They also suggest running applications within a sandbox until they can be checked for malicious or unexpected behaviour which will become evident when run even though the actual payload can be hidden.

Also, they recommend adding stronger constraints to APKs to prevent images from decrypting to a valid APK.