Slashdot Mirror
Delivering Malicious Android Apps Hidden In Image Files
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Yeah, but a totally innocuous app that the store maintainers are liable to let through.
Two crypto researchers whose first and last names all start with the letter "A"?
This is just a really fancy way of clicking on an apk. So you install Foosball 2020 and click the app launcher icon and then your phone says "sorry, you need to enable installing 3rd party apps, bye!" and you say "damn you android! I want to play foosball with robots!" so you go through system settings and enable 3rd party installations and get a big warning. Then you open the app launcher icon again and instead of a game, you see a whole new installation screen for another app and the permissions it requires ...
I think from a technical standpoint, this is really neat research, but there are much simpler ways to lead the cattle to the salt lick.
So I'm going to install an app which is used to open a picture I don't know the origin of and which has been tampered with to append a second app, and if the first app opens the "picture" of choice it then installs another app which triggers a permission request (which they say they can work around).
I'd say this is implausible, but between porn and LOLcats there are going to be some unsuspecting idiots out there who might actually get caught.
Is it just my observation, or are there way too many stupid people in the world?
So what I really gather from this is encrypted apps can't be check, scan or searched for what the contents hold? Really?
And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.
So in other words, don't install apps I have no idea where they come from? Sounds good to me.
Be seeing you...
Yeah, but a totally innocuous app that the store maintainers are liable to let through.
Meaning it isn't limited to just Android. This vulnerability has been known about for ages and affects all operating systems. You simply hide the virus encrypted inside the main app, in this case with a bit of obfuscation to make it look like an image too. Standard technique for trojans.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I thought app stores existed because of security.
Let's do away with them altogether then.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
> And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.
*cough* trojans *cough*
decades you say?
In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.
Doing that isn't much of a stretch. Many popular apps already use DexClassLoader just to get around limits during packaging.
Windows phones did not carry your credit card information nor did they have your google wallet password.
Sure they do. First result from Google windows phone password manager
If I remember correctly, Android malware is a buttload easier to get rid of than Windows malware. From everything I've read, it's a matter of going into Settings, disabling it as a device administrator, and then uninstalling it.
Such an attack would not work against iOS since the sub-app would not be signed to run on the device, and the parent app wouldn't be able to launch the other process.
Don't forget the joy of thumbnails, so now you don't even need to open the image to exploit the codec bug that pwns your machine.
How do you think Windows and Android launch image viewers? They associate the file format with the viewer and launch the viewer with the file as a command line argument. It is EXACTLY the same as it was when you had to type it on a command line. You're basically just complaining about windows' ability to hide file extensions, which is valid, but has really nothing to do with using icons instead of typing on a command line.
I read Anonymous Coward's comment as complaining that Windows, X11 desktop environments, and Android have the "associate the file format with the viewer" feature in the first place. AC wants the user to have to remember the name of the viewer.
My laptop came with Window 8, which has a radically different interface
You could always install Classic Shell, an aftermarket launcher for Windows, to put the S back in Window 8.1 and give you an interface that's closer to Windows 7. Android likewise has aftermarket launchers.
of course I pulled out the HDD, installed an SSD and put Linux on it
Which is like installing a custom ROM on an Android device: there's ABSOLUTELY NO WARRANTY that all peripherals will be supported. I still haven't got my laptop's Bluetooth working in Xubuntu.
Oh, and there's 32-bit and 64-bit
And ARM vs. MIPS vs. Atom.
and Home and Pro and Basic and Ultimate and...
That's more a matter of which OS component repositories you're allowed to access than actual OS fragmentation.
Google (like Apple), wants your credit card info for the play store
Is it really any different from ways to pay for purchases on Windows Phone Store?
Then what's the point of Google Play Store, Amazon Appstore, and F-Droid, which all have a sizable collection of apps available without charge? In F-Droid's case, the apps are even free software.
Yet because Apple rejects useful applications such as MozStumbler and any web browser that isn't a Safari wrapper, users end up having to deal with a platform that allows use of unsigned binaries without payment of a recurring fee to the operating system publisher. They have nothing to do with each other technically and everything to do with each other politically.
*requires root
**root not available for all phones
*** Certain malware installed by carriers is not removable.
****suck it long. Suck it hard
You thought wrong.
There's a lot of reasons, if you're an OS developer, to have an app store, but security is pretty low on them.
#1: It lets you control what applications are available on your platform. No worrying about someone treading on your toes, selling something you sell.
#2: It gives you a cut of every app sold. This means that you can make your OS a loss leader, and take your profits from the sales of people making things people actually like.
#3: Building your brand. Marketing poisons everything. People talking, even occasionally, about your company's store, versus some website or store where they bought something is good for the recognizably of your other crap
#4: Yeah, okay. A gesture towards quality control
#5: Yeah, okay. A gesture towards security.
Because that is putting time and effort into developing features to support competitors.
Canonical put time and effort into the Personal Package Archive system, which supports competitors to the official Ubuntu repository. Each PPA is a Debian repository with a public key to verify packages, and a Canonical-managed PKI ties them together. True, a lot of that comes from the Debian project, but Canonical still polished it into PPAs starting in Ubuntu 9.10.
If the malware didn't need root to enable itself as a device admin, then you don't need root to disable it. Most Android malware that makes the news is not the alleged "malware" installed by carriers, and besides, that's easily avoidable by buying Nexus or Google Play Edition devices and avoiding VZW and Sprint.
Not really. You cannot launch an app that's not signed in iOS to run on that specifically device, thereby all this process just wouldn't work in iOS for instance.
It also wouldn't work in OSX unless you deactivated the permissions to run only Mac Store apps (which many of the people do though).
Can this circumvent permissions of the calling app? If not, this is just another demonstration that arbitrary turing-complete code can not be automatically validated. One can also load Javascript into a WebView and enable it to execute arbitrary Java code through a reflection-based bridge. I am not sure what is the proposed solution.
It won't work on an Android device unless you first enable the ability to side load apps, click through all the warnings, then re-start the trojan, click through the side load app warning, and finally click through the new app installation screen and permission list.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Apple's App Store has plenty of apps available without charge, too, but they sure hope you buy some that cost money. I don't think I know anyone with a smart phone, regardless of OS, who only has free apps and hasn't purchased at least one. F-Droid isn't really an app store, unless you want to get clever and interpret "store" as a storage facility as opposed to a marketplace. It's a curated library, not a store. F-Droid is a registered nonprofit and relies on donations to survive.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
And the distinction is at least as meaningless as it is in Android.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
Windows is at least as fragmented as Android.
Look, I don't like Microsoft any more than most people here but that's just nonsense. You can grind you ax against Microsoft in plenty of ways that don't require making stuff up. It's not like there isn't anything legitimate to criticize about Windows. Your "evidence" that Windows is fragmented involves versions of Windows that were released over 10 years apart. That's not fragmentation - that's just normal development. The fact that Microsoft sells several versions that release different features depending on your license code isn't fragmentation - that's just price discrimination. Microsoft only sells a relatively small number of versions at any given time - FAR less than the number of Android versions available for sale.
There are dozens if not hundreds of companies selling highly customized versions of Android. Want to upgrade to Google's latest code? On most devices you are out of luck unless you want to go to the hassle of jailbreaking. There are even info graphics detailing Android's problems with a horde of different versions and makers.
The average smartphone users are just like PC users. They cannot understand that AV scanning is only useful because a lot of malware authors want their works to be found and recognized, because they're doing it for fun.
Show me a single app that will work on one of these versions but not the others.
Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table. So does any application that is accessed remotely through Remote Desktop.
Exactly. He's complaining about Windows hiding file extensions by default, which has little to nothing to do with command line crap, which is what my post said in the first place. It's a known security problem with a known solution.
My comment was not to disprove that it was possible or not on android without user intervention, my comment was to disprove your statement that this issue affects all operating systems. It does not, iOS it's completely impervious to this attack.
On the other hand, you are right about user intervention. Android seems to need user intervention just like OSX does in order for this to attack to work.
Devil's advocate here:
One reason why Apple has such a sterling reputation for security is that they have a brutal gatekeeper and don't let anyone else have install mechanisms (other than developers or the enterprise.) They also disallow forms of programs that will be asking for trouble such as hypervisors and VM environments where code can be fetched and run that isn't trusted.
These days, there are two ways to get a device compromised:
1: Browser and browser add-ons. Adblock, click-to-play, sandboxing, and even running the browser in a VM or separate filesystem [1] are good defenses.
2: The Dancing Bunnies (or dancing whatevers). Apple solves this by locking the user well away from any install mechanism. Ironically, Android's OS is more secure (although its all/nothing perms model can be helped by XPrivacy), but because of the fact that users can install the pr0n viewer.apk file from a rogue site, it makes the OS appear to be less secure.
[1]: I've had malware create tons of files on a volume before, so many in such deep tree structures that unlink (in UNIX) or rmdir (in Windows) will fail. So, my sandbox volumes go on their separate partition that can be easily formatted. Plus, on Windows, I use BitLocker (with no key protectors) so a format of the volume renders all the data inaccessible (the format.exe command zeroes the VEK field multiple times.)
and now go and read some books before you announce the next "big" thing.
Why was the parent post modded to -1? The fact is that they are correct - unless your iPhone is jailbroken. The sandbox prevents unsigned apps from being installed. And, apps that do get installed have limited access to the rest of the file system. At least that's the way it worked prior to iOS 8.
The walled garden is both a curse and a blessing - depends on how you look at it.
Depends, if you want to bring previously bugs in the code that are now patched on to this discussion, we will have a lot to talk about now patched bugs on Android as well.
We are talking about the present state of the operating systems, not about what bugs might or might not be discovered in the future.
OS X's default permission for GateKeeper is Mac App Store and Developer Signed Apps. It has never been Mac App Store only. The other option is well, "off" (any source).
And it'll always remain that way because people do buy apps elsewhere (there are categories of apps the MAS will not have, such as demos, drivers, utilities (that cannot be sandboxed), etc.)
So if your payload was signed, then yes, it'll run on OS X just fine. Though if it's particularly virulent, Apple will probably revoke the signing certificate, thus making the payload non-executable by default.
Though there is also another nuance to it - GateKeeper only works from untrusted sources - if you compile an application from source code, even though it's unsigned, it actually will NOT pop up a warning because it came from a trusted source (the compiler). Ditto apps installed from optical media. The untrusted source here would be the Internet.
So yeah, the trick will work on OS X. Though to be honest, it seems like a rather roundabout way to do things when the user will just double-click the file anyways.
The trick appears more like those videos and crap that try to get you to install "codec packs" which don't do anything other than install malware on your machine.
You are right. I had the idea I had fiddled with the options from Mac Store only to Anywhere, but the default was Mac App Store and Developer Signed Apps after all
I would suggest thought, that JAVA vulnerabilities and Adobe Flash Player (which I haven't installed btw, but many people do) vulnerabilities, are still the greatest threat to OSX now-a-days.
No, not really.
In Windows, you don't need a special binary to deliver a payload like this.
The article is retarded. Sure, if you try hard enough you can write a trojan to do something stupid. If you are going that far, you don't even need to hide the payload in an image.
At that point, you could probably "exploit" VMS.
Not terribly interesting really.
A Pirate and a Puritan look the same on a balance sheet.
Any application that requires Windows XP Mode, SUA, or more than 16 GB of RAM will work only on Windows 7 Pro and Ultimate according to this table.
So... some video editing programs won't be able to access more thatn 16 GB RAM on home? Some business applications may work better on the XP virtual machine (XP Mode) than in the native 7? SUA won't be coming with Windows anymore as it has been deprecated, so perhaps that should count. However, could you not run Cygwin instead?
So does any application that is accessed remotely through Remote Desktop.
That seems rather convoluted way of stating that you cannot access the computer through Remote Desktop and would have to install vnc or something to do it...
It is what it is.
One reason why Apple has such a sterling reputation for security...
WHAT? No seriously, where does this reputation exist? I've never heard of it.
Someone had to do it.
In most cases, to require you to log in so that the accuracy of advertisement targeting on your personage can be maintained; that is their purpose, f-droid excepted.
Someone had to do it.
Your comparing a PHONE OS to a DeskTop Computer OS??
HAHAHAHAHAHAHAHAHAHHAHAHA
Now, I have windows 7 64 bit ultimate had it the day it was released I also have Norton's Internet security. I have adblockers and cookie deleters and so on too. Guess what? I've never had a virus, I have never had Malware and I DO go to all those free porn sites. So, I would be on top of the list of people who SHOULD get viruses and malware. So please explain to me why I don't get those nasties? I get plenty of what they call tracker cookies
Jack of all trades,master of none
What confuses me is that android has the exact same walled garden approach by default. You have to manually allow "untrusted source" installs. Apple, of course, doesn't allow this because then they wont get their 30% cut (it has nothing to do with security - sorry folks).
If you want to do this on ios, you jailbreak , and make your device more functional, but arguably less secure if you don't know what you're doing, or you're some sort of chimp.
Talking about security used to mean how free from vulnerabilities and exploits a platform was. It would seem things have devolved into a conversation about which platform more readily allows the town dullard to shoot himself in the foot. It's a political conversation indeed.
If it ain't broke, don't fix it.
if you glance the paper, it might seem that they include a root exploit that gets run with the application. however, deeper reading is that the root exploit is only mentioned on an exampe of an android malware file..
in the example of their application, they conviently skip even saying if the apk install screen is shown! however I still think it is shown because they include this disclaimer right after there..
"Note trickier implementations can conceal the installation of the payload APK", sneaky bastards, they apparently use that line in the paper to justify skipping of showing the installation screens for the second apk- the paper makes it look like it just skips from one application straight to the next but that note line there tells the truth, so technically they're not lying. and a trickier implementation wouldn't even require an apk, devoting half the paper to angecrypt commandline usage and all that shit - making the whole paper irrelevant in the context of a 'trickier implementation'. now tell the trickier implementation as that would be news, if you have it!
does a troll mod give a temporary few minute ban to slashdot? that's real classy. couldn't post clarification for hours.
world was created 5 seconds before this post as it is.
So they've "invented" Steganography?
What's with the down-votes? Is hiding an encrypted payload in an image file anything but steganography? it's certainly not a novel way to write a virus since the Windows virus writers have been hiding their code with encryption for quite some time.
Spoken like someone who didn't even read the summary -- and seriously, that's all you need in this case. It's standard trojan nonsense. You have to install an app which then sets about installing another app... secretly.
The whole point of this article, I think, is to make all platforms "equally bad." I smell microsoft or apple sponsorship. If you can't make what you have "better" you "compete" by trying to make others look worse.
I don't have nearly the "protection" you have and neither have I. Just don't do stupid things.
well i don't confuse a phone OS with a desktop PC OS that's for sure. And i guess if i didn't go to porn sites i wouldn't need the protection i have but its always best to wear protection ;}
Jack of all trades,master of none