Delivering Malicious Android Apps Hidden In Image Files

An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)

Still have to install

[dasacc22]

This is just a really fancy way of clicking on an apk. So you install Foosball 2020 and click the app launcher icon and then your phone says "sorry, you need to enable installing 3rd party apps, bye!" and you say "damn you android! I want to play foosball with robots!" so you go through system settings and enable 3rd party installations and get a big warning. Then you open the app launcher icon again and instead of a game, you see a whole new installation screen for another app and the permissions it requires ...

I think from a technical standpoint, this is really neat research, but there are much simpler ways to lead the cattle to the salt lick.

Encrytped App can't be checked? No shit.

[Nyder]

So what I really gather from this is encrypted apps can't be check, scan or searched for what the contents hold? Really?

And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.

So in other words, don't install apps I have no idea where they come from? Sounds good to me.

Re:So you have to install an app...

[AmiMoJo]

Yeah, but a totally innocuous app that the store maintainers are liable to let through.

Meaning it isn't limited to just Android. This vulnerability has been known about for ages and affects all operating systems. You simply hide the virus encrypted inside the main app, in this case with a bit of obfuscation to make it look like an image too. Standard technique for trojans.

Showing how they're equally fragmented

[tepples]

My laptop came with Window 8, which has a radically different interface

You could always install Classic Shell, an aftermarket launcher for Windows, to put the S back in Window 8.1 and give you an interface that's closer to Windows 7. Android likewise has aftermarket launchers.

of course I pulled out the HDD, installed an SSD and put Linux on it

Which is like installing a custom ROM on an Android device: there's ABSOLUTELY NO WARRANTY that all peripherals will be supported. I still haven't got my laptop's Bluetooth working in Xubuntu.

Oh, and there's 32-bit and 64-bit

And ARM vs. MIPS vs. Atom.

and Home and Pro and Basic and Ultimate and...

That's more a matter of which OS component repositories you're allowed to access than actual OS fragmentation.

Re:So you have to install an app...

[AmiMoJo]

It won't work on an Android device unless you first enable the ability to side load apps, click through all the warnings, then re-start the trojan, click through the side load app warning, and finally click through the new app installation screen and permission list.