Wednesday, 22 October 2014


Researchers bind Android Application with Image Files
Researchers bind Android Application with Image Files


Researchers have successfully bound Malicious Android Application with innocent looking Image Files. 
Two researchers named Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application which can be used to encrypt APK files so that it will look like PNG Image Files.
When the malicious image like looking file is sent to Victim and is opened in Victims android device, he/she will only see the the harmless looking image file but in the mean time, a malicious payload is installed onto the victim's Android device.
In order to hide the installation of the malicious payload, the attacker can leverage the DexClassLoader constructor, the experts said.
The effected android versions are Android 4.4.2 and the the previous ones. It was reported back in June when Google released a security update but it seems that the Fix is Incomplete. Google is reported again and it's said that the Search Giant is working on the next fix. 

How does it work? 

The attacker writes his malicious payload and encrypts it to make it look like a valid PNG image file. The encryption is done with AngeCryption, an application developed by the researchers.

Controlling AES encryption is difficult but the Tool developed by the researchers encrypt the APK so well that Android can hardly find some differences. But there is a Minus point also. The customized APK size is 500KB which is big for a Image. Generally pictures having resolutions over 1K have that amount of File size. So it can be said that an aware Victim can find it suspicious seeing the file size. But it's one in a Million chance. After all when the File looks exact like an Image.    


The final step is to create a wrapping APK in which the malicious PNG is inserted, and then decrypted and installed.


When Android APKs are written, they must end with an End of Central Directory (EOCD) marker. The researchers managed to add their specially crafted PNG file to the APK by appending it after the first EOCD and adding a second EOCD at the end.
Next
Newer Post
Previous
This is the last post.

0 comments:

Post a Comment