Delivering Malicious Android Apps Hidden In Image Files 113
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Re: (Score:2)
Yeah, but a totally innocuous app that the store maintainers are liable to let through.
Re:So you have to install an app... (Score:4, Insightful)
Yeah, but a totally innocuous app that the store maintainers are liable to let through.
Meaning it isn't limited to just Android. This vulnerability has been known about for ages and affects all operating systems. You simply hide the virus encrypted inside the main app, in this case with a bit of obfuscation to make it look like an image too. Standard technique for trojans.
Re: (Score:1, Interesting)
Such an attack would not work against iOS since the sub-app would not be signed to run on the device, and the parent app wouldn't be able to launch the other process.
Re: (Score:1)
Such an attack would not work against iOS
Even if you carry an iPhone or iPad as your primary device to avoid trojans, you still have to carry an Android device if you want to use legitimate applications that belong to entire categories that Apple is known to reject.
Re: (Score:2)
Re: (Score:1)
Devil's advocate here:
One reason why Apple has such a sterling reputation for security is that they have a brutal gatekeeper and don't let anyone else have install mechanisms (other than developers or the enterprise.) They also disallow forms of programs that will be asking for trouble such as hypervisors and VM environments where code can be fetched and run that isn't trusted.
These days, there are two ways to get a device compromised:
1: Browser and browser add-ons. Adblock, click-to-play, sandboxing, an
Re: (Score:2)
One reason why Apple has such a sterling reputation for security...
WHAT? No seriously, where does this reputation exist? I've never heard of it.
Re: (Score:3)
Why was the parent post modded to -1? The fact is that they are correct - unless your iPhone is jailbroken. The sandbox prevents unsigned apps from being installed. And, apps that do get installed have limited access to the rest of the file system. At least that's the way it worked prior to iOS 8.
The walled garden is both a curse and a blessing - depends on how you look at it.
Re: So you have to install an app... (Score:2)
If you want to do this on ios, you jailbreak , and make your device more functional, but arguably less secure if you don't know what you're doing, or you're some sort of chimp.
Talking about security used to mean how free from vulnerabi
Re: (Score:3)
Not really. You cannot launch an app that's not signed in iOS to run on that specifically device, thereby all this process just wouldn't work in iOS for instance.
It also wouldn't work in OSX unless you deactivated the permissions to run only Mac Store apps (which many of the people do though).
Re:So you have to install an app... (Score:5, Insightful)
It won't work on an Android device unless you first enable the ability to side load apps, click through all the warnings, then re-start the trojan, click through the side load app warning, and finally click through the new app installation screen and permission list.
Re: (Score:2)
My comment was not to disprove that it was possible or not on android without user intervention, my comment was to disprove your statement that this issue affects all operating systems. It does not, iOS it's completely impervious to this attack.
On the other hand, you are right about user intervention. Android seems to need user intervention just like OSX does in order for this to attack to work.
Re: (Score:1)
iOS it's completely impervious to this attack.
Because no one's figured out a way to run unsigned applications on iOS, right? Umm...
Re: (Score:2)
Depends, if you want to bring previously bugs in the code that are now patched on to this discussion, we will have a lot to talk about now patched bugs on Android as well.
We are talking about the present state of the operating systems, not about what bugs might or might not be discovered in the future.
Re: (Score:2)
OS X's default permission for GateKeeper is Mac App Store and Developer Signed Apps. It has never been Mac App Store only. The other option is well, "off" (any source).
And it'll always remain that way because people do
Re: (Score:2)
You are right. I had the idea I had fiddled with the options from Mac Store only to Anywhere, but the default was Mac App Store and Developer Signed Apps after all
I would suggest thought, that JAVA vulnerabilities and Adobe Flash Player (which I haven't installed btw, but many people do) vulnerabilities, are still the greatest threat t
Re: (Score:2)
I thought app stores existed because of security.
Let's do away with them altogether then.
Re: (Score:2)
Re: (Score:1)
Apple's App Store has plenty of apps available without charge, too, but they sure hope you buy some that cost money. I don't think I know anyone with a smart phone, regardless of OS, who only has free apps and hasn't purchased at least one. F-Droid isn't really an app store, unless you want to get clever and interpret "store" as a storage facility as opposed to a marketplace. It's a curated library, not a store. F-Droid is a registered nonprofit and relies on donations to survive.
Re: (Score:2)
In most cases, to require you to log in so that the accuracy of advertisement targeting on your personage can be maintained; that is their purpose, f-droid excepted.
Re: (Score:2)
You thought wrong.
There's a lot of reasons, if you're an OS developer, to have an app store, but security is pretty low on them.
#1: It lets you control what applications are available on your platform. No worrying about someone treading on your toes, selling something you sell.
#2: It gives you a cut of every app sold. This means that you can make your OS a loss leader, and take your profits from the sales of people making things people actually like.
#3: Building your brand. Marketing poisons everything.
fjaoiejaaaaaaarghhh (Score:1, Troll)
yeah it's fucking stupid fucking stupid fucking stupid
FUCKING STUPID TO THE EXTREME!
that the included APK is hidden inside the png is totally TOTALLY irrelevant. it could be ANY kind of file that it is in. heck, just "thisisthemaliciousapkinrot8.apk" would do it.
also, does it somehow silently install the malicious apk? on phones where untrusted sources is unchecked? that would be the interesting bit, so I guess no. it would be the main bit of their program, not the irrelevant png wooooo encryption nonsense
Re: (Score:2)
The average smartphone users are just like PC users. They cannot understand that AV scanning is only useful because a lot of malware authors want their works to be found and recognized, because they're doing it for fun.
Re: (Score:2)
if you glance the paper, it might seem that they include a root exploit that gets run with the application. however, deeper reading is that the root exploit is only mentioned on an exampe of an android malware file..
in the example of their application, they conviently skip even saying if the apk install screen is shown! however I still think it is shown because they include this disclaimer right after there..
"Note trickier implementations can conceal the installation of the payload APK", sneaky bastards, th
Unlikely (Score:3)
Re: (Score:3)
Unlikely...or it may provide insight into Fortinet's hiring practices.
Re: (Score:2)
Re: (Score:2)
It won't hurt crypto algorithms unless their names are both Alice.
Re:Unlikely (Score:4, Funny)
Bah, why do you think all crypto discussions are about exchanges between Alice and Bob? :-P
Still have to install (Score:4, Insightful)
I think from a technical standpoint, this is really neat research, but there are much simpler ways to lead the cattle to the salt lick.
Re: (Score:3)
One problem might be that enabling third party apps seems to be an all or nothing affair. Your average Android device comes enabled to load apps from the Google Play store, but suppose you want to take advantage of the Amazon App Store also. (They have free apps of the day some of which might be interesting to use.) So you enable third party apps to load the Amazon App Store. However, now you are opened up to ANY third party app. It would be better if you could white-list the Amazon App Store but not R
Re: (Score:1, Interesting)
Re: (Score:2)
Enabling 3rd party app installation is an all or nothing affair b/c its, well, 3rd parties.
Why doesn't the system provide a mechanism for the user to distinguish between trusted and untrusted third parties? For example, a user ought to have a way to choose to trust Amazon and F-Droid alongside Google but distrust all other APK sources.
Re: (Score:3)
PPA (Score:3)
Because that is putting time and effort into developing features to support competitors.
Canonical put time and effort into the Personal Package Archive system [launchpad.net], which supports competitors to the official Ubuntu repository. Each PPA is a Debian repository with a public key to verify packages, and a Canonical-managed PKI ties them together. True, a lot of that comes from the Debian project, but Canonical still polished it into PPAs starting in Ubuntu 9.10.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Well the fact of the matter is that Google is only interested in making sure their app store is the only trusted store. The choice to make it all or nothing was deliberate on their part. They could easily have implemented user-selectable trust of signing certificates. Granted 90% of android users don't even understand the problem, let alone the solution.
Still, though, this vulnerability appears to be firmly in the area of social engineering because why would I want to download an encrypted image file tha
Re: (Score:2)
why would I want to download an encrypted image file that requires another separate, random app to decrypt and view it?
Ask users of Snapchat.
Re: (Score:2)
Still, though, this vulnerability appears to be firmly in the area of social engineering because why would I want to download an encrypted image file that requires another separate, random app to decrypt and view it?
The payload is encrypted/embedded into an image that is an asset inside the application such as a splash screen or a logo. It appears innocuous until the application runs, extracts the embedded apk and executes it. Prior to that the malicious payload is not detected by application scanners that scan the carrier apk.
Re:Still have to install (Score:5, Informative)
In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.
Now that sounds plausible and like a real concern (that is being addressed).
Re: (Score:2)
Re: (Score:1)
This sounds rather convoluted (Score:3)
So I'm going to install an app which is used to open a picture I don't know the origin of and which has been tampered with to append a second app, and if the first app opens the "picture" of choice it then installs another app which triggers a permission request (which they say they can work around).
I'd say this is implausible, but between porn and LOLcats there are going to be some unsuspecting idiots out there who might actually get caught.
Re: (Score:2)
I don't get why they think people would believe they need to open some random app just to view an image...
Because not all images are single-layer PNG or JPEG. There exist a lot of image formats a viewer for which is not included with all major operating systems. Compare to a common tactic used by Windows trojans: a web site displays a video with an "unsupported codec" and then ships the trojan disguised as a codec installer. Does Windows even come with a PDF viewer?
Re: (Score:2)
That's a plausible technical reason. The real reason, though is social. Users have been conditioned to equate content and apps.
Encrytped App can't be checked? No shit. (Score:2, Insightful)
So what I really gather from this is encrypted apps can't be check, scan or searched for what the contents hold? Really?
And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.
So in other words, don't install apps I have no idea where they come from? Sounds good to me.
Re: (Score:2)
*cough* trojans *cough*
decades you say?
Re: (Score:3, Interesting)
In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.
Doing that isn't much of a stretch. Many popular apps already use DexClassLoader just to get around limits during packaging.
Re: (Score:2)
Don't forget the joy of thumbnails, so now you don't even need to open the image to exploit the codec bug that pwns your machine.
Re: (Score:2)
How do you think Windows and Android launch image viewers? They associate the file format with the viewer and launch the viewer with the file as a command line argument. It is EXACTLY the same as it was when you had to type it on a command line. You're basically just complaining about windows' ability to hide file extensions, which is valid, but has really nothing to do with using icons instead of typing on a command line.
Association is the problem (Score:2)
Re: (Score:1)
Re: (Score:2)
Exactly. He's complaining about Windows hiding file extensions by default, which has little to nothing to do with command line crap, which is what my post said in the first place. It's a known security problem with a known solution.
Re: (Score:1)
Steganography (Score:1)
So they've "invented" Steganography [wikipedia.org]?
Re: (Score:2)
So they've "invented" Steganography [wikipedia.org]?
What's with the down-votes? Is hiding an encrypted payload in an image file anything but steganography? it's certainly not a novel way to write a virus since the Windows virus writers have been hiding their code with encryption for quite some time.
Difference with any code obfuscation? (Score:2)
Can this circumvent permissions of the calling app? If not, this is just another demonstration that arbitrary turing-complete code can not be automatically validated. One can also load Javascript into a WebView and enable it to execute arbitrary Java code through a reflection-based bridge. I am not sure what is the proposed solution.
Awesome, they re-invented steganography (Score:1)
One important difference between Windows and goog (Score:1)
Windows phones did not carry your credit card information nor did they have your google wallet password.
Re: (Score:2)
Windows phones did not carry your credit card information nor did they have your google wallet password.
Sure they do. First result from Google windows phone password manager [windowscentral.com]
Windows Phone Store payment (Score:3)
Google (like Apple), wants your credit card info for the play store
Is it really any different from ways to pay for purchases on Windows Phone Store [windowsphone.com]?
Re:Windows Phone Store payment (Score:4, Interesting)
You can have an account without a credit card on both.
It's just a bit tricky, and it relies on the fact that if you try to make an account through "the front door" then yes, you need a credit card or other payment option.
But if you go through the "back door" it works just fine.
For iOS, what you do is you try to buy a FREE app. This will ask you to create an account, and will not ask for payment details (because the app is free). And now you have an account without an attached credit card.
Android is the same - just buy a free app.
Re: (Score:3)
Re: (Score:1)
*requires root
**root not available for all phones
*** Certain malware installed by carriers is not removable.
****suck it long. Suck it hard
Re:android = windows (Score:4)
Re: (Score:1)
HAHAHAHAHAHAHAHAHAHHAHAHA
Now, I have windows 7 64 bit ultimate had it the day it was released I also have Norton's Internet security. I have adblockers and cookie deleters and so on too. Guess what? I've never had a virus, I have never had Malware and I DO go to all those free porn sites. So, I would be on top of the list of people who SHOULD get viruses and malware. So please explain to me why I don't get those nasties? I get plenty of what they call
Re: (Score:2)
I don't have nearly the "protection" you have and neither have I. Just don't do stupid things.
Re: (Score:1)
Re: (Score:3)
No, not really.
In Windows, you don't need a special binary to deliver a payload like this.
The article is retarded. Sure, if you try hard enough you can write a trojan to do something stupid. If you are going that far, you don't even need to hide the payload in an image.
At that point, you could probably "exploit" VMS.
Not terribly interesting really.
Re: (Score:2)
Spoken like someone who didn't even read the summary -- and seriously, that's all you need in this case. It's standard trojan nonsense. You have to install an app which then sets about installing another app... secretly.
The whole point of this article, I think, is to make all platforms "equally bad." I smell microsoft or apple sponsorship. If you can't make what you have "better" you "compete" by trying to make others look worse.
Re: (Score:1, Troll)
I'm as anti-Windows as anybody, but calling it "fragmented" is a bit silly.
At work I have an XP VM, with one interface. At home I have Windows 7, with a somewhat different interface. My laptop came with Window 8, which has a radically different interface (of course I pulled out the HDD, installed an SSD and put Linux on it). There's also Window 8.1, which has a somewhat different interface. Oh, and there's 32-bit and 64-bit, and Home and Pro and Basic and Ultimate and...
Windows is at least as fragmented as Android.
Showing how they're equally fragmented (Score:3, Insightful)
My laptop came with Window 8, which has a radically different interface
You could always install Classic Shell, an aftermarket launcher for Windows, to put the S back in Window 8.1 and give you an interface that's closer to Windows 7. Android likewise has aftermarket launchers.
of course I pulled out the HDD, installed an SSD and put Linux on it
Which is like installing a custom ROM on an Android device: there's ABSOLUTELY NO WARRANTY that all peripherals will be supported. I still haven't got my laptop's Bluetooth working in Xubuntu.
Oh, and there's 32-bit and 64-bit
And ARM vs. MIPS vs. Atom.
and Home and Pro and Basic and Ultimate and...
That's more a matter of which OS component repositories you're allowed to access than ac
Re: (Score:2)
Show me a single app that will work on one of these versions but not the others.
Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table [zdnet.com]. So does any application that is accessed remotely through Remote Desktop.
Re: (Score:2)
Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table [zdnet.com].
So... some video editing programs won't be able to access more thatn 16 GB RAM on home? Some business applications may work better on the XP virtual machine (XP Mode) than in the native 7? SUA won't be coming with Windows anymore as it has been deprecated, so perhaps that should count. However, could you not run Cygwin instead?
So does any application that is accessed remotely through Remote Desktop.
That seems rather convoluted way of stating that you cannot access the computer through Remote Desktop and would have to install vnc or something to do it...
Re: (Score:2)
And the distinction is at least as meaningless as it is in Android.
Pick a valid criticism of Windows-plenty to choose (Score:3)
Windows is at least as fragmented as Android.
Look, I don't like Microsoft any more than most people here but that's just nonsense. You can grind you ax against Microsoft in plenty of ways that don't require making stuff up. It's not like there isn't anything legitimate to criticize about Windows. Your "evidence" that Windows is fragmented involves versions of Windows that were released over 10 years apart. That's not fragmentation - that's just normal development. The fact that Microsoft sells several versions that release different features dep