Slashdot Mirror

← Back to Stories (view on slashdot.org)

Delivering Malicious Android Apps Hidden In Image Files

Posted by timothy on from the best-case-never-touch-a-phone dept.

An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)

113 comments

  1. android = windows by Anonymous Coward · · Score: -1

    Android really is the Windows of phones. Open, free, and on lots of different devices, but also fragmented and vulnerable to malware.

    1. Re:android = windows by Anonymous Coward · · Score: -1

      I'm as anti-Windows as anybody, but calling it "fragmented" is a bit silly.

    2. Re:android = windows by tepples · · Score: 2

      If I remember correctly, Android malware is a buttload easier to get rid of than Windows malware. From everything I've read, it's a matter of going into Settings, disabling it as a device administrator, and then uninstalling it.

    3. Re:android = windows by 0123456 · · Score: 0, Troll

      I'm as anti-Windows as anybody, but calling it "fragmented" is a bit silly.

      At work I have an XP VM, with one interface. At home I have Windows 7, with a somewhat different interface. My laptop came with Window 8, which has a radically different interface (of course I pulled out the HDD, installed an SSD and put Linux on it). There's also Window 8.1, which has a somewhat different interface. Oh, and there's 32-bit and 64-bit, and Home and Pro and Basic and Ultimate and...

      Windows is at least as fragmented as Android.

    4. Re:android = windows by Anonymous Coward · · Score: 1

      *requires root
      **root not available for all phones
      *** Certain malware installed by carriers is not removable.
      ****suck it long. Suck it hard

    5. Re:android = windows by tepples · · Score: 3

      If the malware didn't need root to enable itself as a device admin, then you don't need root to disable it. Most Android malware that makes the news is not the alleged "malware" installed by carriers, and besides, that's easily avoidable by buying Nexus or Google Play Edition devices and avoiding VZW and Sprint.

    6. Re:android = windows by Anonymous Coward · · Score: 0

      Home and Pro and Basic and Ultimate and...
       
      Show me a single app that will work on one of these versions but not the others.

    7. Re:android = windows by Mike+Buddha · · Score: 1

      And the distinction is at least as meaningless as it is in Android.

      --
      by Mike Buddha -- Someday the mountain might get him, but the law never will.
    8. Re:android = windows by tepples · · Score: 1

      Show me a single app that will work on one of these versions but not the others.

      Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table. So does any application that is accessed remotely through Remote Desktop.

    9. Re:android = windows by jedidiah · · Score: 2

      No, not really.

      In Windows, you don't need a special binary to deliver a payload like this.

      The article is retarded. Sure, if you try hard enough you can write a trojan to do something stupid. If you are going that far, you don't even need to hide the payload in an image.

      At that point, you could probably "exploit" VMS.

      Not terribly interesting really.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    10. Re:android = windows by Anonymous Coward · · Score: 0

      The other products are supplied with Virtual PC instead of "XP Mode." You knew this, the article you cite hints at it and you skirted it on a semantic play. If you didn't know it then you shouldn't be discussing it.
       
      I'll give you the RAM limitations.... not that I've ever seen a Win app that requires 16 GB but I'll still take the brunt of that.
       
      Aside from that there's a lot of outdated information in the article and some that wasn't even correct when it was published 5 years ago.

    11. Re:android = windows by oji-sama · · Score: 1

      Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table.

      So... some video editing programs won't be able to access more thatn 16 GB RAM on home? Some business applications may work better on the XP virtual machine (XP Mode) than in the native 7? SUA won't be coming with Windows anymore as it has been deprecated, so perhaps that should count. However, could you not run Cygwin instead?

      So does any application that is accessed remotely through Remote Desktop.

      That seems rather convoluted way of stating that you cannot access the computer through Remote Desktop and would have to install vnc or something to do it...

      --
      It is what it is.
    12. Re:android = windows by Stan92057 · · Score: 1

      Your comparing a PHONE OS to a DeskTop Computer OS??

      HAHAHAHAHAHAHAHAHAHHAHAHA

      Now, I have windows 7 64 bit ultimate had it the day it was released I also have Norton's Internet security. I have adblockers and cookie deleters and so on too. Guess what? I've never had a virus, I have never had Malware and I DO go to all those free porn sites. So, I would be on top of the list of people who SHOULD get viruses and malware. So please explain to me why I don't get those nasties? I get plenty of what they call tracker cookies

      --
      Jack of all trades,master of none
    13. Re:android = windows by Anonymous Coward · · Score: 0

      Perhaps you don't understand the term "fragmented" as well as you think you do. Applied to Android it means that software developers require the use of hacks, erm short-term fixes, specific to particular Android versions so as to make the one app work the same on multiple versions on Android. In the Windows world you can generally get away with writing programs to the APIs in Windows XP and it "just works" on everything going forward. (Heck, we only dropped Windows 2000 support from our code base at the beginning of this year.)

    14. Re:android = windows by Anonymous Coward · · Score: 0

      Android also lets you disable default apps (that can't be uninstalled without root due to being on the read-only system partition).

    15. Re:android = windows by erroneus · · Score: 1

      Spoken like someone who didn't even read the summary -- and seriously, that's all you need in this case. It's standard trojan nonsense. You have to install an app which then sets about installing another app... secretly.

      The whole point of this article, I think, is to make all platforms "equally bad." I smell microsoft or apple sponsorship. If you can't make what you have "better" you "compete" by trying to make others look worse.

    16. Re:android = windows by erroneus · · Score: 1

      I don't have nearly the "protection" you have and neither have I. Just don't do stupid things.

    17. Re:android = windows by Stan92057 · · Score: 1

      well i don't confuse a phone OS with a desktop PC OS that's for sure. And i guess if i didn't go to porn sites i wouldn't need the protection i have but its always best to wear protection ;}

      --
      Jack of all trades,master of none
  2. So you have to install an app... by Anonymous Coward · · Score: 0

    Derp.

    1. Re:So you have to install an app... by i+kan+reed · · Score: 1

      Yeah, but a totally innocuous app that the store maintainers are liable to let through.

    2. Re:So you have to install an app... by AmiMoJo · · Score: 3, Insightful

      Yeah, but a totally innocuous app that the store maintainers are liable to let through.

      Meaning it isn't limited to just Android. This vulnerability has been known about for ages and affects all operating systems. You simply hide the virus encrypted inside the main app, in this case with a bit of obfuscation to make it look like an image too. Standard technique for trojans.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:So you have to install an app... by StripedCow · · Score: 1

      I thought app stores existed because of security.
      Let's do away with them altogether then.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
    4. Re:So you have to install an app... by Anonymous Coward · · Score: 1, Interesting

      Such an attack would not work against iOS since the sub-app would not be signed to run on the device, and the parent app wouldn't be able to launch the other process.

    5. Re:So you have to install an app... by tepples · · Score: 0

      Such an attack would not work against iOS

      Even if you carry an iPhone or iPad as your primary device to avoid trojans, you still have to carry an Android device if you want to use legitimate applications that belong to entire categories that Apple is known to reject.

    6. Re:So you have to install an app... by Anonymous Coward · · Score: 0

      Their point is to secure a revenue stream for their operators.

    7. Re:So you have to install an app... by tepples · · Score: 1

      Then what's the point of Google Play Store, Amazon Appstore, and F-Droid, which all have a sizable collection of apps available without charge? In F-Droid's case, the apps are even free software.

    8. Re:So you have to install an app... by Anonymous Coward · · Score: 0

      That has nothing to do with signed binaries but Apple rejecting useful applications.

    9. Re:So you have to install an app... by tepples · · Score: 1

      Yet because Apple rejects useful applications such as MozStumbler and any web browser that isn't a Safari wrapper, users end up having to deal with a platform that allows use of unsigned binaries without payment of a recurring fee to the operating system publisher. They have nothing to do with each other technically and everything to do with each other politically.

    10. Re:So you have to install an app... by i+kan+reed · · Score: 1

      You thought wrong.

      There's a lot of reasons, if you're an OS developer, to have an app store, but security is pretty low on them.
      #1: It lets you control what applications are available on your platform. No worrying about someone treading on your toes, selling something you sell.
      #2: It gives you a cut of every app sold. This means that you can make your OS a loss leader, and take your profits from the sales of people making things people actually like.
      #3: Building your brand. Marketing poisons everything. People talking, even occasionally, about your company's store, versus some website or store where they bought something is good for the recognizably of your other crap
      #4: Yeah, okay. A gesture towards quality control
      #5: Yeah, okay. A gesture towards security.

    11. Re:So you have to install an app... by jbssm · · Score: 2
      > affects all operating systems.

      Not really. You cannot launch an app that's not signed in iOS to run on that specifically device, thereby all this process just wouldn't work in iOS for instance.

      It also wouldn't work in OSX unless you deactivated the permissions to run only Mac Store apps (which many of the people do though).

    12. Re:So you have to install an app... by AmiMoJo · · Score: 4, Insightful

      It won't work on an Android device unless you first enable the ability to side load apps, click through all the warnings, then re-start the trojan, click through the side load app warning, and finally click through the new app installation screen and permission list.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:So you have to install an app... by ShaunC · · Score: 1

      Apple's App Store has plenty of apps available without charge, too, but they sure hope you buy some that cost money. I don't think I know anyone with a smart phone, regardless of OS, who only has free apps and hasn't purchased at least one. F-Droid isn't really an app store, unless you want to get clever and interpret "store" as a storage facility as opposed to a marketplace. It's a curated library, not a store. F-Droid is a registered nonprofit and relies on donations to survive.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    14. Re:So you have to install an app... by jbssm · · Score: 1

      My comment was not to disprove that it was possible or not on android without user intervention, my comment was to disprove your statement that this issue affects all operating systems. It does not, iOS it's completely impervious to this attack.

      On the other hand, you are right about user intervention. Android seems to need user intervention just like OSX does in order for this to attack to work.

    15. Re:So you have to install an app... by Anonymous Coward · · Score: 1

      Devil's advocate here:

      One reason why Apple has such a sterling reputation for security is that they have a brutal gatekeeper and don't let anyone else have install mechanisms (other than developers or the enterprise.) They also disallow forms of programs that will be asking for trouble such as hypervisors and VM environments where code can be fetched and run that isn't trusted.

      These days, there are two ways to get a device compromised:

      1: Browser and browser add-ons. Adblock, click-to-play, sandboxing, and even running the browser in a VM or separate filesystem [1] are good defenses.

      2: The Dancing Bunnies (or dancing whatevers). Apple solves this by locking the user well away from any install mechanism. Ironically, Android's OS is more secure (although its all/nothing perms model can be helped by XPrivacy), but because of the fact that users can install the pr0n viewer.apk file from a rogue site, it makes the OS appear to be less secure.

      [1]: I've had malware create tons of files on a volume before, so many in such deep tree structures that unlink (in UNIX) or rmdir (in Windows) will fail. So, my sandbox volumes go on their separate partition that can be easily formatted. Plus, on Windows, I use BitLocker (with no key protectors) so a format of the volume renders all the data inaccessible (the format.exe command zeroes the VEK field multiple times.)

    16. Re:So you have to install an app... by Ronin+Developer · · Score: 2

      Why was the parent post modded to -1? The fact is that they are correct - unless your iPhone is jailbroken. The sandbox prevents unsigned apps from being installed. And, apps that do get installed have limited access to the rest of the file system. At least that's the way it worked prior to iOS 8.

      The walled garden is both a curse and a blessing - depends on how you look at it.

    17. Re:So you have to install an app... by Mike+Buddha · · Score: 0

      iOS it's completely impervious to this attack.

      Because no one's figured out a way to run unsigned applications on iOS, right? Umm...

      --
      by Mike Buddha -- Someday the mountain might get him, but the law never will.
    18. Re:So you have to install an app... by jbssm · · Score: 1

      Depends, if you want to bring previously bugs in the code that are now patched on to this discussion, we will have a lot to talk about now patched bugs on Android as well.

      We are talking about the present state of the operating systems, not about what bugs might or might not be discovered in the future.

    19. Re:So you have to install an app... by tlhIngan · · Score: 1

      Not really. You cannot launch an app that's not signed in iOS to run on that specifically device, thereby all this process just wouldn't work in iOS for instance.

      It also wouldn't work in OSX unless you deactivated the permissions to run only Mac Store apps (which many of the people do though).

      OS X's default permission for GateKeeper is Mac App Store and Developer Signed Apps. It has never been Mac App Store only. The other option is well, "off" (any source).

      And it'll always remain that way because people do buy apps elsewhere (there are categories of apps the MAS will not have, such as demos, drivers, utilities (that cannot be sandboxed), etc.)

      So if your payload was signed, then yes, it'll run on OS X just fine. Though if it's particularly virulent, Apple will probably revoke the signing certificate, thus making the payload non-executable by default.

      Though there is also another nuance to it - GateKeeper only works from untrusted sources - if you compile an application from source code, even though it's unsigned, it actually will NOT pop up a warning because it came from a trusted source (the compiler). Ditto apps installed from optical media. The untrusted source here would be the Internet.

      So yeah, the trick will work on OS X. Though to be honest, it seems like a rather roundabout way to do things when the user will just double-click the file anyways.

      The trick appears more like those videos and crap that try to get you to install "codec packs" which don't do anything other than install malware on your machine.

    20. Re:So you have to install an app... by jbssm · · Score: 1
      > OS X's default permission for GateKeeper is Mac App Store and Developer Signed Apps. It has never been Mac App Store only. The other option is well, "off" (any source).

      You are right. I had the idea I had fiddled with the options from Mac Store only to Anywhere, but the default was Mac App Store and Developer Signed Apps after all

      I would suggest thought, that JAVA vulnerabilities and Adobe Flash Player (which I haven't installed btw, but many people do) vulnerabilities, are still the greatest threat to OSX now-a-days.

    21. Re:So you have to install an app... by skids · · Score: 1

      One reason why Apple has such a sterling reputation for security...

      WHAT? No seriously, where does this reputation exist? I've never heard of it.

      --
      Someone had to do it.
    22. Re:So you have to install an app... by skids · · Score: 1

      In most cases, to require you to log in so that the accuracy of advertisement targeting on your personage can be maintained; that is their purpose, f-droid excepted.

      --
      Someone had to do it.
    23. Re:So you have to install an app... by Anonymous Coward · · Score: 0

      You cannot launch an app that's not signed in iOS to run on that specifically device

      Since I own no iOS devices, I've never bothered to keep up with this, but.. has Apple managed to successfully lock down iOS such that it cannot be jail-broken? Because if they have not, then what you just said is unequivocally false.

    24. Re:So you have to install an app... by Anonymous Coward · · Score: 0

      If the host binary is trusted to run, then the binary it extracts from the encoded image can also be run.

      As you say, gatekeeper interferes with binaries from untrusted sources - that means all the app has to do is remove the 'untrusted source' indicator from the extracted binary - assuming it existed in the first place.

      This is a simple matter of removing an extended filesystem attribute.

    25. Re:So you have to install an app... by Anonymous Coward · · Score: 0

      Soooooo.... why is this on slashdot?

    26. Re: So you have to install an app... by tom229 · · Score: 1

      What confuses me is that android has the exact same walled garden approach by default. You have to manually allow "untrusted source" installs. Apple, of course, doesn't allow this because then they wont get their 30% cut (it has nothing to do with security - sorry folks).

      If you want to do this on ios, you jailbreak , and make your device more functional, but arguably less secure if you don't know what you're doing, or you're some sort of chimp.

      Talking about security used to mean how free from vulnerabilities and exploits a platform was. It would seem things have devolved into a conversation about which platform more readily allows the town dullard to shoot himself in the foot. It's a political conversation indeed.

      --
      If it ain't broke, don't fix it.
    27. Re:So you have to install an app... by Anonymous Coward · · Score: 0

      You realize that any jail breaking a device is a bug in the present the state of the OS.

      As such, i things have been vulnerable to this attack for as long as that attack exists.

  3. Unlikely by omems · · Score: 2

    Two crypto researchers whose first and last names all start with the letter "A"?

    1. Re:Unlikely by pushing-robot · · Score: 2

      Unlikely...or it may provide insight into Fortinet's hiring practices.

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:Unlikely by 91degrees · · Score: 2

      Hiring manager is called Bob. He can only receive emails from people whose names start with A.

    3. Re:Unlikely by frank_adrian314159 · · Score: 1

      It won't hurt crypto algorithms unless their names are both Alice.

      --
      That is all.
    4. Re:Unlikely by gstoddart · · Score: 3, Funny

      Bah, why do you think all crypto discussions are about exchanges between Alice and Bob? :-P

      --
      Lost at C:>. Found at C.
  4. 2mod 3own by Anonymous Coward · · Score: -1

    who sell another DISCUSSION I'M FreeBSD's time wholesome and driven out by the mod points and is the ultimate I7 *BSD is to antibacterial soap. cycle; take a

  5. Still have to install by dasacc22 · · Score: 4, Insightful

    This is just a really fancy way of clicking on an apk. So you install Foosball 2020 and click the app launcher icon and then your phone says "sorry, you need to enable installing 3rd party apps, bye!" and you say "damn you android! I want to play foosball with robots!" so you go through system settings and enable 3rd party installations and get a big warning. Then you open the app launcher icon again and instead of a game, you see a whole new installation screen for another app and the permissions it requires ...

    I think from a technical standpoint, this is really neat research, but there are much simpler ways to lead the cattle to the salt lick.

    1. Re:Still have to install by Jason+Levine · · Score: 2

      One problem might be that enabling third party apps seems to be an all or nothing affair. Your average Android device comes enabled to load apps from the Google Play store, but suppose you want to take advantage of the Amazon App Store also. (They have free apps of the day some of which might be interesting to use.) So you enable third party apps to load the Amazon App Store. However, now you are opened up to ANY third party app. It would be better if you could white-list the Amazon App Store but not RANDOM_WEBSITE_APP_STORE.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:Still have to install by dasacc22 · · Score: 1, Interesting

      You white listed amazon app store when you reviewed the permissions and clicked install. Enabling 3rd party app installation is an all or nothing affair b/c its, well, 3rd parties.

    3. Re:Still have to install by dasacc22 · · Score: 5, Informative
      I stand corrected after RTFA

      In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.

      Now that sounds plausible and like a real concern (that is being addressed).

    4. Re:Still have to install by tepples · · Score: 1

      Enabling 3rd party app installation is an all or nothing affair b/c its, well, 3rd parties.

      Why doesn't the system provide a mechanism for the user to distinguish between trusted and untrusted third parties? For example, a user ought to have a way to choose to trust Amazon and F-Droid alongside Google but distrust all other APK sources.

    5. Re:Still have to install by Anonymous Coward · · Score: 0

      Still a very simple and effective attack vector.

      Many people will fall for such a thing because there are no scans and checks AFTER an app has passed Googles checks. (which are pretty fucking LAX at that)

      It is the same issue with any content that can be changed after it has been verified, or user-content sites.
      What sort of content rating does a site like Youtube get?
      Are you absolutely sure that the website you just OK'd for sponsorship isn't a virus? (like the still very alive link for firefox on Google searches, well, the site is dead, but the link still shows)
      Because these checks are only done once, or are hidden from view, such things can trivially get past if they simply encrypt them in a smart way.

    6. Re:Still have to install by Himmy32 · · Score: 2

      Because that is putting time and effort into developing features to support competitors. At least they support competition with decent security.

    7. Re:Still have to install by caseih · · Score: 2

      Well the fact of the matter is that Google is only interested in making sure their app store is the only trusted store. The choice to make it all or nothing was deliberate on their part. They could easily have implemented user-selectable trust of signing certificates. Granted 90% of android users don't even understand the problem, let alone the solution.

      Still, though, this vulnerability appears to be firmly in the area of social engineering because why would I want to download an encrypted image file that requires another separate, random app to decrypt and view it?

    8. Re:Still have to install by jittles · · Score: 1

      And if you already have third party apps enabled for some reason?

    9. Re:Still have to install by Anonymous Coward · · Score: 0

      When I got my new Android phone earlier this year (HTC One M8), one of the newer features I noticed was that if you install a third-party APK, the OS actually prompts you if you want to verify that the file is "safe", I'm assuming through some sort of identifying process (hash some value from the APK, perhaps) that is then transmitted to Google to be compared against a known list of "bad" APK files.

      With that in place, it seems like it would help prevent something like this from spreading (perhaps only on more recent devices - I don't know if it's part of the OS itself, or part of the "Google Play Services" that they are trying to offload large parts of the OS into.)

    10. Re:Still have to install by Anonymous Coward · · Score: 0

      Years ago i infected millions of people with pigsex.exe

      I didn't even try to hide that it was an exe.

    11. Re:Still have to install by tepples · · Score: 1

      why would I want to download an encrypted image file that requires another separate, random app to decrypt and view it?

      Ask users of Snapchat.

    12. Re:Still have to install by dasacc22 · · Score: 1

      that reads more like a statement rather than a question. Regardless of location source, whether google sanctioned or not, and if one has decided to install things from places other than google (arguably the 3rd party check box is the type of thing that makes android a google project versus pure OSS, or in the same respects is what differentiates chrome from chromium), etc, etc, when you install an application, you will be prompted. This prompt shares similarity with, for example, running a downloaded executable on windows and being prompted before actually running.

      Having 3rd party sources disabled is not a safety net for avoiding issues, that's simply what makes android a google product.

    13. Re:Still have to install by Fnord666 · · Score: 1

      Still, though, this vulnerability appears to be firmly in the area of social engineering because why would I want to download an encrypted image file that requires another separate, random app to decrypt and view it?

      The payload is encrypted/embedded into an image that is an asset inside the application such as a splash screen or a logo. It appears innocuous until the application runs, extracts the embedded apk and executes it. Prior to that the malicious payload is not detected by application scanners that scan the carrier apk.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  6. Thusly by Anonymous Coward · · Score: 0

    Can we please erase this aggravating nonsense word from the planet?

  7. One important difference between Windows and goog by goombah99 · · Score: 0

    Windows phones did not carry your credit card information nor did they have your google wallet password.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  8. This sounds rather convoluted by Overzeetop · · Score: 2

    So I'm going to install an app which is used to open a picture I don't know the origin of and which has been tampered with to append a second app, and if the first app opens the "picture" of choice it then installs another app which triggers a permission request (which they say they can work around).

    I'd say this is implausible, but between porn and LOLcats there are going to be some unsuspecting idiots out there who might actually get caught.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:This sounds rather convoluted by tepples · · Score: 1

      I don't get why they think people would believe they need to open some random app just to view an image...

      Because not all images are single-layer PNG or JPEG. There exist a lot of image formats a viewer for which is not included with all major operating systems. Compare to a common tactic used by Windows trojans: a web site displays a video with an "unsupported codec" and then ships the trojan disguised as a codec installer. Does Windows even come with a PDF viewer?

    2. Re:This sounds rather convoluted by skids · · Score: 1

      That's a plausible technical reason. The real reason, though is social. Users have been conditioned to equate content and apps.

      --
      Someone had to do it.
  9. fjaoiejaaaaaaarghhh by gl4ss · · Score: 0, Troll

    yeah it's fucking stupid fucking stupid fucking stupid
    FUCKING STUPID TO THE EXTREME!

    that the included APK is hidden inside the png is totally TOTALLY irrelevant. it could be ANY kind of file that it is in. heck, just "thisisthemaliciousapkinrot8.apk" would do it.

    also, does it somehow silently install the malicious apk? on phones where untrusted sources is unchecked? that would be the interesting bit, so I guess no. it would be the main bit of their program, not the irrelevant png wooooo encryption nonsense shit. they could just download the malicious apk too. or open a browser to go the malicious apps url and hope that the user installs it.

    I mean fuck, there's dozens of ways to hide malicious code that even gets run in android without this. do the authors even understand how impossible it is for the automatic scans to check for every custom "malicious" code there is? it just checks for pre configured signatures on files ffs. their new malicious code would have gotten through just as included class files, nevermind as included .so files,nevermind as included linux executables(old way to do native parts without ndk).

    now, let's get back to talking about host files.

    --
    world was created 5 seconds before this post as it is.
    1. Re:fjaoiejaaaaaaarghhh by AqD · · Score: 2

      The average smartphone users are just like PC users. They cannot understand that AV scanning is only useful because a lot of malware authors want their works to be found and recognized, because they're doing it for fun.

    2. Re:fjaoiejaaaaaaarghhh by gl4ss · · Score: 1

      if you glance the paper, it might seem that they include a root exploit that gets run with the application. however, deeper reading is that the root exploit is only mentioned on an exampe of an android malware file..

      in the example of their application, they conviently skip even saying if the apk install screen is shown! however I still think it is shown because they include this disclaimer right after there..
      "Note trickier implementations can conceal the installation of the payload APK", sneaky bastards, they apparently use that line in the paper to justify skipping of showing the installation screens for the second apk- the paper makes it look like it just skips from one application straight to the next but that note line there tells the truth, so technically they're not lying. and a trickier implementation wouldn't even require an apk, devoting half the paper to angecrypt commandline usage and all that shit - making the whole paper irrelevant in the context of a 'trickier implementation'. now tell the trickier implementation as that would be news, if you have it!

      does a troll mod give a temporary few minute ban to slashdot? that's real classy. couldn't post clarification for hours.

      --
      world was created 5 seconds before this post as it is.
  10. Encrytped App can't be checked? No shit. by Nyder · · Score: 1, Insightful

    So what I really gather from this is encrypted apps can't be check, scan or searched for what the contents hold? Really?

    And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.

    So in other words, don't install apps I have no idea where they come from? Sounds good to me.

    --
    Be seeing you...
  11. Cute but useless by Anonymous Coward · · Score: 0

    #1 You'd have to give the first app permissions to install an APK (no apps on Google Play can do this)
    #2 The user would be prompted to install the new APK (you could try to trick them its an update)

    Regardless, let's say your attack vector is Amazon Appstore (i don't know if they even bother with security); you could have done the same thing by just encrypting the APK and sending it as a byte stream to the 1st app.

    1. Re:Cute but useless by dasacc22 · · Score: 3, Interesting
      You don't have to give it permission, that's just part of what they made available. to quote TFA

      In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.

      Doing that isn't much of a stretch. Many popular apps already use DexClassLoader just to get around limits during packaging.

  12. Re:Encrytped App can't be checked? No shit. by dasacc22 · · Score: 2

    > And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.

    *cough* trojans *cough*

    decades you say?

  13. symptom of dumbing down computing by Anonymous Coward · · Score: 0

    Once upon a time, if you wanted to view an image, you launched your OSs (or some other trusted) image viewer with that image as an argument. If it turned out not to be an image, it wouldn't display, because the image viewer only understood some image formats, and wouldn't execute arbitrary code.

    But in the quest to dumb everything down, it was decided that expecting people to understand they should use an image viewer on an image was too much to ask. Instead, we had to make it so simply clicking or pressing the image would view it. And this opened the door for a common attack on windows, android, and other environments. The thing could now just CLAIM to be an image, but really it's an executable that's gonna pwn your box.

    The less we expect people to understand, the easier it is to exploit them.

    1. Re:symptom of dumbing down computing by 0123456 · · Score: 1

      Don't forget the joy of thumbnails, so now you don't even need to open the image to exploit the codec bug that pwns your machine.

    2. Re:symptom of dumbing down computing by Russ1642 · · Score: 1

      How do you think Windows and Android launch image viewers? They associate the file format with the viewer and launch the viewer with the file as a command line argument. It is EXACTLY the same as it was when you had to type it on a command line. You're basically just complaining about windows' ability to hide file extensions, which is valid, but has really nothing to do with using icons instead of typing on a command line.

    3. Re:symptom of dumbing down computing by BronsCon · · Score: 0

      No, it's not. Dragging the icon for the image into the icon for the image viewer is exactly the same, in that you're specifying "open this file with that application". Doublie-clicking is most certainly not the same, especially when Windows defaults to "hide known file extenstions" and your malicious application is named "bigboobies.jpg.exe" with an icon that looks like a thumbnail of some boobs. The user sees "bigboobies.jpg", thoughtlessly ignores that no other legitimate images on their system show a file extension, and double clicks it; the malicious application now executes. Hell, if known extensions are hidden, simply naming it bigboobies.exe and giving it a titillating icon would fool 99% of users, even power users.

      Here's why:

      Typing "image_viewer.exe bigboobies.jpg" would launch image_viewer.exe, which would then tell you the file was not found. Dragging the icon of the "image" to the icon for "image_viewer.exe" or typing "image_viewer.exe bigboobies.jpg.exe", were you not to notice the ".exe" at the end, would launch image_viewer.exe, which would then complain that the file you fed it was not an image. Double-clicking an icon triggers the default action for the file type of the file the icon belongs to; in other words, if it's a sneakily-named executable, it executes it.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    4. Re:symptom of dumbing down computing by Russ1642 · · Score: 1

      Exactly. He's complaining about Windows hiding file extensions by default, which has little to nothing to do with command line crap, which is what my post said in the first place. It's a known security problem with a known solution.

    5. Re:symptom of dumbing down computing by BronsCon · · Score: 0

      No. I was explaining, to you, how clicking an icon and typing into the command line are not the same. It's really not my fault you missed that.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  14. Re:One important difference between Windows and go by tepples · · Score: 1

    Windows phones did not carry your credit card information nor did they have your google wallet password.

    Sure they do. First result from Google windows phone password manager

  15. so you need to install trojan to use the exploit? by Anonymous Coward · · Score: 0

    where's the news in this?
    they re-invented the concept of trojans?
    if there was way to exploit existing software with custom image this would be just another exploit-hole to close.
    this isn't even that if the trojan is needed in the first place to unpack and run the actual exploit..

  16. This sounds rather convoluted by Anonymous Coward · · Score: 0

    I don't get why they think people would believe they need to open some random app just to view an image...
    Or maybe I underestimate the stupidity of people..

  17. Re:Encrytped App can't be checked? No shit. by Anonymous Coward · · Score: 0

    300 decades is still decades...

  18. Association is the problem by tepples · · Score: 1

    I read Anonymous Coward's comment as complaining that Windows, X11 desktop environments, and Android have the "associate the file format with the viewer" feature in the first place. AC wants the user to have to remember the name of the viewer.

  19. Re:One important difference between Windows and go by Anonymous Coward · · Score: 0

    Woosh.

    You pointed to a click bait article reviewing third-party apps for people who want to make their windows phone carry credit card info, something Google does right out of the box.

    Google (like Apple), wants your credit card info for the play store and for tracking. They also want to push you towards their Google Wallet service. It is built into the operating system itself.

  20. Nothing new. by Anonymous Coward · · Score: 0

    They have been using similar techniques to hide maleware on desktops for many years. On a desktop it's as simple as hiding the encrypted payload in the rousources of a loader application which injects into another process. The only difference is that someone decided to change the platform the attack takes place on.

  21. Showing how they're equally fragmented by tepples · · Score: 2, Insightful

    My laptop came with Window 8, which has a radically different interface

    You could always install Classic Shell, an aftermarket launcher for Windows, to put the S back in Window 8.1 and give you an interface that's closer to Windows 7. Android likewise has aftermarket launchers.

    of course I pulled out the HDD, installed an SSD and put Linux on it

    Which is like installing a custom ROM on an Android device: there's ABSOLUTELY NO WARRANTY that all peripherals will be supported. I still haven't got my laptop's Bluetooth working in Xubuntu.

    Oh, and there's 32-bit and 64-bit

    And ARM vs. MIPS vs. Atom.

    and Home and Pro and Basic and Ultimate and...

    That's more a matter of which OS component repositories you're allowed to access than actual OS fragmentation.

    1. Re: Showing how they're equally fragmented by Anonymous Coward · · Score: 0

      ARM architecture uses MIPS assembly

  22. Windows Phone Store payment by tepples · · Score: 2

    Google (like Apple), wants your credit card info for the play store

    Is it really any different from ways to pay for purchases on Windows Phone Store?

    1. Re:Windows Phone Store payment by tlhIngan · · Score: 3, Interesting

      Google (like Apple), wants your credit card info for the play store

      You can have an account without a credit card on both.

      It's just a bit tricky, and it relies on the fact that if you try to make an account through "the front door" then yes, you need a credit card or other payment option.

      But if you go through the "back door" it works just fine.

      For iOS, what you do is you try to buy a FREE app. This will ask you to create an account, and will not ask for payment details (because the app is free). And now you have an account without an attached credit card.

      Android is the same - just buy a free app.

    2. Re:Windows Phone Store payment by Anonymous Coward · · Score: 0

      Last time I tried this, it REQUIRED a credit card for the i thing. There was no "skip" or "next time" even for free apps.

  23. Steganography by hawguy · · Score: 0

    So they've "invented" Steganography?

    1. Re:Steganography by hawguy · · Score: 1

      So they've "invented" Steganography?

      What's with the down-votes? Is hiding an encrypted payload in an image file anything but steganography? it's certainly not a novel way to write a virus since the Windows virus writers have been hiding their code with encryption for quite some time.

  24. Simple solution by Anonymous Coward · · Score: 0

    Android will ALWAYS ask you if you want to install an .apk, no matter how it is disguised. If you click a link, or visit a website, and it pops up asking you if you want to install, CLICK NO! Simple.

    Only idiots get malware on current versions of Android these days. They are either trying to get free porn, music, games or movies. Pay for the content you consume, and don't be an idiot and install random .apk files, and you will never, ever have an issue.

  25. PPA by tepples · · Score: 2

    Because that is putting time and effort into developing features to support competitors.

    Canonical put time and effort into the Personal Package Archive system, which supports competitors to the official Ubuntu repository. Each PPA is a Debian repository with a public key to verify packages, and a Canonical-managed PKI ties them together. True, a lot of that comes from the Debian project, but Canonical still polished it into PPAs starting in Ubuntu 9.10.

    1. Re:PPA by dasacc22 · · Score: 1

      your point? 3rd party checkbox in this scenario would be like a flag that determines whether your /etc/apt/sources.list file is read or discarded when determining software to install (given the standard ubuntu repos will always be an apt source).

    2. Re:PPA by tepples · · Score: 1

      My point is that Debian and Debian-derived distributions let the owner of a machine edit sources.list and Android doesn't.

    3. Re:PPA by dasacc22 · · Score: 1

      it would be interesting if the market app actually worked like this and was decoupled from other google services.

  26. Malicious APK by Anonymous Coward · · Score: 0

    You don't say! Everyone knows you just need a good HOSTS file to block APK.

  27. Difference with any code obfuscation? by iamacat · · Score: 1

    Can this circumvent permissions of the calling app? If not, this is just another demonstration that arbitrary turing-complete code can not be automatically validated. One can also load Javascript into a WebView and enable it to execute arbitrary Java code through a reflection-based bridge. I am not sure what is the proposed solution.

  28. Apk's far from malicious by Anonymous Coward · · Score: 0

    Apk made a good app to build hosts files to protect users from online threats here http://start64.com/index.php?o... that gets its data for custom hosts creation from 12 reputable security community sites that do so. Have you personally done more or better to help the online community than apk has or are you just another ac troll that can't prove his points wrong on hosts files? I'm wagering the latter in your case.

    1. Re: Apk's far from malicious by Anonymous Coward · · Score: 0

      APK we know that's you typing as an AC. nobody likes you and nobody would ever defend you here on /. the fact that you always post as an AC to back up your claims and support your lies is very telling.

    2. Re: Apk's far from malicious by Anonymous Coward · · Score: 0

      Sorry I said that about you apk. I take it back since I'm a "ne'er-do-well" trolling douche.

    3. Re: Apk's far from malicious by Anonymous Coward · · Score: 0

      You posted by ac and complain apk does too? You're too stupid to live.

  29. Stupid by Anonymous Coward · · Score: 0

    This is the stupidest thing I've read in a long time.

    Step 1: Create a really evil program.
    Step 2: Encrypt it so it wont be detected... and wont run.
    Step 3: Create another evil program that can decrypt other evil applications and run them.
    Step 4: Get idiot to install second evil application.

    This is so stupid it hurts my head. Can I make slashdot if I encode a malicious application to look like an MP3 and create another application to run it?

  30. Pick a valid criticism of Windows-plenty to choose by sjbe · · Score: 2

    Windows is at least as fragmented as Android.

    Look, I don't like Microsoft any more than most people here but that's just nonsense. You can grind you ax against Microsoft in plenty of ways that don't require making stuff up. It's not like there isn't anything legitimate to criticize about Windows. Your "evidence" that Windows is fragmented involves versions of Windows that were released over 10 years apart. That's not fragmentation - that's just normal development. The fact that Microsoft sells several versions that release different features depending on your license code isn't fragmentation - that's just price discrimination. Microsoft only sells a relatively small number of versions at any given time - FAR less than the number of Android versions available for sale.

    There are dozens if not hundreds of companies selling highly customized versions of Android. Want to upgrade to Google's latest code? On most devices you are out of luck unless you want to go to the hassle of jailbreaking. There are even info graphics detailing Android's problems with a horde of different versions and makers.

  31. Awesome, they re-invented steganography by Chris+S3h · · Score: 1

    and now go and read some books before you announce the next "big" thing.

  32. Re:Encrytped App can't be checked? No shit. by Anonymous Coward · · Score: 0

    Come on, the blackhat community is a whole lot of fee mongering go get headlines... hence the slashdot rep... This is why I am sick of security researchers... its like the boy who cried wolf... all the time.