Slashdot Mirror
Delivering Malicious Android Apps Hidden In Image Files
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Derp.
Two crypto researchers whose first and last names all start with the letter "A"?
This is just a really fancy way of clicking on an apk. So you install Foosball 2020 and click the app launcher icon and then your phone says "sorry, you need to enable installing 3rd party apps, bye!" and you say "damn you android! I want to play foosball with robots!" so you go through system settings and enable 3rd party installations and get a big warning. Then you open the app launcher icon again and instead of a game, you see a whole new installation screen for another app and the permissions it requires ...
I think from a technical standpoint, this is really neat research, but there are much simpler ways to lead the cattle to the salt lick.
Can we please erase this aggravating nonsense word from the planet?
Windows phones did not carry your credit card information nor did they have your google wallet password.
Some drink at the fountain of knowledge. Others just gargle.
So I'm going to install an app which is used to open a picture I don't know the origin of and which has been tampered with to append a second app, and if the first app opens the "picture" of choice it then installs another app which triggers a permission request (which they say they can work around).
I'd say this is implausible, but between porn and LOLcats there are going to be some unsuspecting idiots out there who might actually get caught.
Is it just my observation, or are there way too many stupid people in the world?
yeah it's fucking stupid fucking stupid fucking stupid
FUCKING STUPID TO THE EXTREME!
that the included APK is hidden inside the png is totally TOTALLY irrelevant. it could be ANY kind of file that it is in. heck, just "thisisthemaliciousapkinrot8.apk" would do it.
also, does it somehow silently install the malicious apk? on phones where untrusted sources is unchecked? that would be the interesting bit, so I guess no. it would be the main bit of their program, not the irrelevant png wooooo encryption nonsense shit. they could just download the malicious apk too. or open a browser to go the malicious apps url and hope that the user installs it.
I mean fuck, there's dozens of ways to hide malicious code that even gets run in android without this. do the authors even understand how impossible it is for the automatic scans to check for every custom "malicious" code there is? it just checks for pre configured signatures on files ffs. their new malicious code would have gotten through just as included class files, nevermind as included .so files,nevermind as included linux executables(old way to do native parts without ndk).
now, let's get back to talking about host files.
world was created 5 seconds before this post as it is.
So what I really gather from this is encrypted apps can't be check, scan or searched for what the contents hold? Really?
And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.
So in other words, don't install apps I have no idea where they come from? Sounds good to me.
Be seeing you...
#1 You'd have to give the first app permissions to install an APK (no apps on Google Play can do this)
#2 The user would be prompted to install the new APK (you could try to trick them its an update)
Regardless, let's say your attack vector is Amazon Appstore (i don't know if they even bother with security); you could have done the same thing by just encrypting the APK and sending it as a byte stream to the 1st app.
> And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.
*cough* trojans *cough*
decades you say?
Once upon a time, if you wanted to view an image, you launched your OSs (or some other trusted) image viewer with that image as an argument. If it turned out not to be an image, it wouldn't display, because the image viewer only understood some image formats, and wouldn't execute arbitrary code.
But in the quest to dumb everything down, it was decided that expecting people to understand they should use an image viewer on an image was too much to ask. Instead, we had to make it so simply clicking or pressing the image would view it. And this opened the door for a common attack on windows, android, and other environments. The thing could now just CLAIM to be an image, but really it's an executable that's gonna pwn your box.
The less we expect people to understand, the easier it is to exploit them.
Windows phones did not carry your credit card information nor did they have your google wallet password.
Sure they do. First result from Google windows phone password manager
If I remember correctly, Android malware is a buttload easier to get rid of than Windows malware. From everything I've read, it's a matter of going into Settings, disabling it as a device administrator, and then uninstalling it.
where's the news in this?
they re-invented the concept of trojans?
if there was way to exploit existing software with custom image this would be just another exploit-hole to close.
this isn't even that if the trojan is needed in the first place to unpack and run the actual exploit..
I don't get why they think people would believe they need to open some random app just to view an image...
Or maybe I underestimate the stupidity of people..
300 decades is still decades...
I'm as anti-Windows as anybody, but calling it "fragmented" is a bit silly.
At work I have an XP VM, with one interface. At home I have Windows 7, with a somewhat different interface. My laptop came with Window 8, which has a radically different interface (of course I pulled out the HDD, installed an SSD and put Linux on it). There's also Window 8.1, which has a somewhat different interface. Oh, and there's 32-bit and 64-bit, and Home and Pro and Basic and Ultimate and...
Windows is at least as fragmented as Android.
I read Anonymous Coward's comment as complaining that Windows, X11 desktop environments, and Android have the "associate the file format with the viewer" feature in the first place. AC wants the user to have to remember the name of the viewer.
Woosh.
You pointed to a click bait article reviewing third-party apps for people who want to make their windows phone carry credit card info, something Google does right out of the box.
Google (like Apple), wants your credit card info for the play store and for tracking. They also want to push you towards their Google Wallet service. It is built into the operating system itself.
They have been using similar techniques to hide maleware on desktops for many years. On a desktop it's as simple as hiding the encrypted payload in the rousources of a loader application which injects into another process. The only difference is that someone decided to change the platform the attack takes place on.
My laptop came with Window 8, which has a radically different interface
You could always install Classic Shell, an aftermarket launcher for Windows, to put the S back in Window 8.1 and give you an interface that's closer to Windows 7. Android likewise has aftermarket launchers.
of course I pulled out the HDD, installed an SSD and put Linux on it
Which is like installing a custom ROM on an Android device: there's ABSOLUTELY NO WARRANTY that all peripherals will be supported. I still haven't got my laptop's Bluetooth working in Xubuntu.
Oh, and there's 32-bit and 64-bit
And ARM vs. MIPS vs. Atom.
and Home and Pro and Basic and Ultimate and...
That's more a matter of which OS component repositories you're allowed to access than actual OS fragmentation.
Google (like Apple), wants your credit card info for the play store
Is it really any different from ways to pay for purchases on Windows Phone Store?
*requires root
**root not available for all phones
*** Certain malware installed by carriers is not removable.
****suck it long. Suck it hard
So they've "invented" Steganography?
Android will ALWAYS ask you if you want to install an .apk, no matter how it is disguised. If you click a link, or visit a website, and it pops up asking you if you want to install, CLICK NO! Simple.
Only idiots get malware on current versions of Android these days. They are either trying to get free porn, music, games or movies. Pay for the content you consume, and don't be an idiot and install random .apk files, and you will never, ever have an issue.
Because that is putting time and effort into developing features to support competitors.
Canonical put time and effort into the Personal Package Archive system, which supports competitors to the official Ubuntu repository. Each PPA is a Debian repository with a public key to verify packages, and a Canonical-managed PKI ties them together. True, a lot of that comes from the Debian project, but Canonical still polished it into PPAs starting in Ubuntu 9.10.
You don't say! Everyone knows you just need a good HOSTS file to block APK.
If the malware didn't need root to enable itself as a device admin, then you don't need root to disable it. Most Android malware that makes the news is not the alleged "malware" installed by carriers, and besides, that's easily avoidable by buying Nexus or Google Play Edition devices and avoiding VZW and Sprint.
Can this circumvent permissions of the calling app? If not, this is just another demonstration that arbitrary turing-complete code can not be automatically validated. One can also load Javascript into a WebView and enable it to execute arbitrary Java code through a reflection-based bridge. I am not sure what is the proposed solution.
Home and Pro and Basic and Ultimate and...
Show me a single app that will work on one of these versions but not the others.
Apk made a good app to build hosts files to protect users from online threats here http://start64.com/index.php?o... that gets its data for custom hosts creation from 12 reputable security community sites that do so. Have you personally done more or better to help the online community than apk has or are you just another ac troll that can't prove his points wrong on hosts files? I'm wagering the latter in your case.
This is the stupidest thing I've read in a long time.
Step 1: Create a really evil program.
Step 2: Encrypt it so it wont be detected... and wont run.
Step 3: Create another evil program that can decrypt other evil applications and run them.
Step 4: Get idiot to install second evil application.
This is so stupid it hurts my head. Can I make slashdot if I encode a malicious application to look like an MP3 and create another application to run it?
And the distinction is at least as meaningless as it is in Android.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
Windows is at least as fragmented as Android.
Look, I don't like Microsoft any more than most people here but that's just nonsense. You can grind you ax against Microsoft in plenty of ways that don't require making stuff up. It's not like there isn't anything legitimate to criticize about Windows. Your "evidence" that Windows is fragmented involves versions of Windows that were released over 10 years apart. That's not fragmentation - that's just normal development. The fact that Microsoft sells several versions that release different features depending on your license code isn't fragmentation - that's just price discrimination. Microsoft only sells a relatively small number of versions at any given time - FAR less than the number of Android versions available for sale.
There are dozens if not hundreds of companies selling highly customized versions of Android. Want to upgrade to Google's latest code? On most devices you are out of luck unless you want to go to the hassle of jailbreaking. There are even info graphics detailing Android's problems with a horde of different versions and makers.
Show me a single app that will work on one of these versions but not the others.
Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table. So does any application that is accessed remotely through Remote Desktop.
and now go and read some books before you announce the next "big" thing.
No, not really.
In Windows, you don't need a special binary to deliver a payload like this.
The article is retarded. Sure, if you try hard enough you can write a trojan to do something stupid. If you are going that far, you don't even need to hide the payload in an image.
At that point, you could probably "exploit" VMS.
Not terribly interesting really.
A Pirate and a Puritan look the same on a balance sheet.
The other products are supplied with Virtual PC instead of "XP Mode." You knew this, the article you cite hints at it and you skirted it on a semantic play. If you didn't know it then you shouldn't be discussing it.
I'll give you the RAM limitations.... not that I've ever seen a Win app that requires 16 GB but I'll still take the brunt of that.
Aside from that there's a lot of outdated information in the article and some that wasn't even correct when it was published 5 years ago.
Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table.
So... some video editing programs won't be able to access more thatn 16 GB RAM on home? Some business applications may work better on the XP virtual machine (XP Mode) than in the native 7? SUA won't be coming with Windows anymore as it has been deprecated, so perhaps that should count. However, could you not run Cygwin instead?
So does any application that is accessed remotely through Remote Desktop.
That seems rather convoluted way of stating that you cannot access the computer through Remote Desktop and would have to install vnc or something to do it...
It is what it is.
Your comparing a PHONE OS to a DeskTop Computer OS??
HAHAHAHAHAHAHAHAHAHHAHAHA
Now, I have windows 7 64 bit ultimate had it the day it was released I also have Norton's Internet security. I have adblockers and cookie deleters and so on too. Guess what? I've never had a virus, I have never had Malware and I DO go to all those free porn sites. So, I would be on top of the list of people who SHOULD get viruses and malware. So please explain to me why I don't get those nasties? I get plenty of what they call tracker cookies
Jack of all trades,master of none
Perhaps you don't understand the term "fragmented" as well as you think you do. Applied to Android it means that software developers require the use of hacks, erm short-term fixes, specific to particular Android versions so as to make the one app work the same on multiple versions on Android. In the Windows world you can generally get away with writing programs to the APIs in Windows XP and it "just works" on everything going forward. (Heck, we only dropped Windows 2000 support from our code base at the beginning of this year.)
Come on, the blackhat community is a whole lot of fee mongering go get headlines... hence the slashdot rep... This is why I am sick of security researchers... its like the boy who cried wolf... all the time.
Android also lets you disable default apps (that can't be uninstalled without root due to being on the read-only system partition).
Spoken like someone who didn't even read the summary -- and seriously, that's all you need in this case. It's standard trojan nonsense. You have to install an app which then sets about installing another app... secretly.
The whole point of this article, I think, is to make all platforms "equally bad." I smell microsoft or apple sponsorship. If you can't make what you have "better" you "compete" by trying to make others look worse.
I don't have nearly the "protection" you have and neither have I. Just don't do stupid things.
well i don't confuse a phone OS with a desktop PC OS that's for sure. And i guess if i didn't go to porn sites i wouldn't need the protection i have but its always best to wear protection ;}
Jack of all trades,master of none