Slashdot Mirror
Delivering Malicious Android Apps Hidden In Image Files
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
Two crypto researchers whose first and last names all start with the letter "A"?
This is just a really fancy way of clicking on an apk. So you install Foosball 2020 and click the app launcher icon and then your phone says "sorry, you need to enable installing 3rd party apps, bye!" and you say "damn you android! I want to play foosball with robots!" so you go through system settings and enable 3rd party installations and get a big warning. Then you open the app launcher icon again and instead of a game, you see a whole new installation screen for another app and the permissions it requires ...
I think from a technical standpoint, this is really neat research, but there are much simpler ways to lead the cattle to the salt lick.
So I'm going to install an app which is used to open a picture I don't know the origin of and which has been tampered with to append a second app, and if the first app opens the "picture" of choice it then installs another app which triggers a permission request (which they say they can work around).
I'd say this is implausible, but between porn and LOLcats there are going to be some unsuspecting idiots out there who might actually get caught.
Is it just my observation, or are there way too many stupid people in the world?
Yeah, but a totally innocuous app that the store maintainers are liable to let through.
Meaning it isn't limited to just Android. This vulnerability has been known about for ages and affects all operating systems. You simply hide the virus encrypted inside the main app, in this case with a bit of obfuscation to make it look like an image too. Standard technique for trojans.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
> And seriously, hiding a payload inside something else isn't new, that's been around for decades at least.
*cough* trojans *cough*
decades you say?
In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.
Doing that isn't much of a stretch. Many popular apps already use DexClassLoader just to get around limits during packaging.
If I remember correctly, Android malware is a buttload easier to get rid of than Windows malware. From everything I've read, it's a matter of going into Settings, disabling it as a device administrator, and then uninstalling it.
My laptop came with Window 8, which has a radically different interface
You could always install Classic Shell, an aftermarket launcher for Windows, to put the S back in Window 8.1 and give you an interface that's closer to Windows 7. Android likewise has aftermarket launchers.
of course I pulled out the HDD, installed an SSD and put Linux on it
Which is like installing a custom ROM on an Android device: there's ABSOLUTELY NO WARRANTY that all peripherals will be supported. I still haven't got my laptop's Bluetooth working in Xubuntu.
Oh, and there's 32-bit and 64-bit
And ARM vs. MIPS vs. Atom.
and Home and Pro and Basic and Ultimate and...
That's more a matter of which OS component repositories you're allowed to access than actual OS fragmentation.
Google (like Apple), wants your credit card info for the play store
Is it really any different from ways to pay for purchases on Windows Phone Store?
Because that is putting time and effort into developing features to support competitors.
Canonical put time and effort into the Personal Package Archive system, which supports competitors to the official Ubuntu repository. Each PPA is a Debian repository with a public key to verify packages, and a Canonical-managed PKI ties them together. True, a lot of that comes from the Debian project, but Canonical still polished it into PPAs starting in Ubuntu 9.10.
If the malware didn't need root to enable itself as a device admin, then you don't need root to disable it. Most Android malware that makes the news is not the alleged "malware" installed by carriers, and besides, that's easily avoidable by buying Nexus or Google Play Edition devices and avoiding VZW and Sprint.
Not really. You cannot launch an app that's not signed in iOS to run on that specifically device, thereby all this process just wouldn't work in iOS for instance.
It also wouldn't work in OSX unless you deactivated the permissions to run only Mac Store apps (which many of the people do though).
It won't work on an Android device unless you first enable the ability to side load apps, click through all the warnings, then re-start the trojan, click through the side load app warning, and finally click through the new app installation screen and permission list.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Windows is at least as fragmented as Android.
Look, I don't like Microsoft any more than most people here but that's just nonsense. You can grind you ax against Microsoft in plenty of ways that don't require making stuff up. It's not like there isn't anything legitimate to criticize about Windows. Your "evidence" that Windows is fragmented involves versions of Windows that were released over 10 years apart. That's not fragmentation - that's just normal development. The fact that Microsoft sells several versions that release different features depending on your license code isn't fragmentation - that's just price discrimination. Microsoft only sells a relatively small number of versions at any given time - FAR less than the number of Android versions available for sale.
There are dozens if not hundreds of companies selling highly customized versions of Android. Want to upgrade to Google's latest code? On most devices you are out of luck unless you want to go to the hassle of jailbreaking. There are even info graphics detailing Android's problems with a horde of different versions and makers.
The average smartphone users are just like PC users. They cannot understand that AV scanning is only useful because a lot of malware authors want their works to be found and recognized, because they're doing it for fun.
Why was the parent post modded to -1? The fact is that they are correct - unless your iPhone is jailbroken. The sandbox prevents unsigned apps from being installed. And, apps that do get installed have limited access to the rest of the file system. At least that's the way it worked prior to iOS 8.
The walled garden is both a curse and a blessing - depends on how you look at it.
No, not really.
In Windows, you don't need a special binary to deliver a payload like this.
The article is retarded. Sure, if you try hard enough you can write a trojan to do something stupid. If you are going that far, you don't even need to hide the payload in an image.
At that point, you could probably "exploit" VMS.
Not terribly interesting really.
A Pirate and a Puritan look the same on a balance sheet.