Slashdot Mirror

← Back to Stories (view on slashdot.org)

Delivering Malicious Android Apps Hidden In Image Files

Posted by timothy on from the best-case-never-touch-a-phone dept.

An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)

4 of 113 comments (clear)

  1. Re:Still have to install by dasacc22 · · Score: 1, Interesting

    You white listed amazon app store when you reviewed the permissions and clicked install. Enabling 3rd party app installation is an all or nothing affair b/c its, well, 3rd parties.

  2. Re:Cute but useless by dasacc22 · · Score: 3, Interesting
    You don't have to give it permission, that's just part of what they made available. to quote TFA

    In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.

    Doing that isn't much of a stretch. Many popular apps already use DexClassLoader just to get around limits during packaging.

  3. Re:So you have to install an app... by Anonymous Coward · · Score: 1, Interesting

    Such an attack would not work against iOS since the sub-app would not be signed to run on the device, and the parent app wouldn't be able to launch the other process.

  4. Re:Windows Phone Store payment by tlhIngan · · Score: 3, Interesting

    Google (like Apple), wants your credit card info for the play store

    You can have an account without a credit card on both.

    It's just a bit tricky, and it relies on the fact that if you try to make an account through "the front door" then yes, you need a credit card or other payment option.

    But if you go through the "back door" it works just fine.

    For iOS, what you do is you try to buy a FREE app. This will ask you to create an account, and will not ask for payment details (because the app is free). And now you have an account without an attached credit card.

    Android is the same - just buy a free app.