Slashdot Mirror
Delivering Malicious Android Apps Hidden In Image Files
An anonymous reader writes "Researchers have found a way to deliver a malicious app to Android users by hiding it into what seems to be an encrypted image file, which is then delivered via a legitimate, seemingly innocuous wrapper app. Fortinet malware researcher Axelle Apvrille and reverse engineer Ange Albertini created a custom tool they dubbed AngeCryption, which allows them to encrypt the payload Android application package (APK) and make it look like an image (PNG, JPG) file . They also had to create another APK that carries the "booby-trapped" image file and which can decrypt it to unveil the malicious APK file and install it. A malicious app thusly encrypted is nearly invisible to reverse engineers, and possibly even to AV solutions and Google's Android Bouncer." (Here's the original paper, from researchers Axelle Apvrille and Ange Albertini.)
This is just a really fancy way of clicking on an apk. So you install Foosball 2020 and click the app launcher icon and then your phone says "sorry, you need to enable installing 3rd party apps, bye!" and you say "damn you android! I want to play foosball with robots!" so you go through system settings and enable 3rd party installations and get a big warning. Then you open the app launcher icon again and instead of a game, you see a whole new installation screen for another app and the permissions it requires ...
I think from a technical standpoint, this is really neat research, but there are much simpler ways to lead the cattle to the salt lick.
Yeah, but a totally innocuous app that the store maintainers are liable to let through.
Meaning it isn't limited to just Android. This vulnerability has been known about for ages and affects all operating systems. You simply hide the virus encrypted inside the main app, in this case with a bit of obfuscation to make it look like an image too. Standard technique for trojans.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader.
Doing that isn't much of a stretch. Many popular apps already use DexClassLoader just to get around limits during packaging.
Bah, why do you think all crypto discussions are about exchanges between Alice and Bob? :-P
Lost at C:>. Found at C.
If the malware didn't need root to enable itself as a device admin, then you don't need root to disable it. Most Android malware that makes the news is not the alleged "malware" installed by carriers, and besides, that's easily avoidable by buying Nexus or Google Play Edition devices and avoiding VZW and Sprint.
It won't work on an Android device unless you first enable the ability to side load apps, click through all the warnings, then re-start the trojan, click through the side load app warning, and finally click through the new app installation screen and permission list.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
You can have an account without a credit card on both.
It's just a bit tricky, and it relies on the fact that if you try to make an account through "the front door" then yes, you need a credit card or other payment option.
But if you go through the "back door" it works just fine.
For iOS, what you do is you try to buy a FREE app. This will ask you to create an account, and will not ask for payment details (because the app is free). And now you have an account without an attached credit card.
Android is the same - just buy a free app.