A new technique allows attackers to hide encrypted malicious Android applications inside images and could evade detection from antivirus products and possibly Google Play’s own malware scanner.
The attack, presented at the Black Hat Europe conference in Amsterdam, ended up developed by Axelle Apvrille, a researcher at Fortinet, and reverse engineer Ange Albertini.
The basis of the attack comes from a technique devised by Albertini called AngeCryption that allows controlling both the input and the output of a file encryption operation using the Advanced Encryption Standard (AES) by taking advantage of the properties of some file formats that allow files to remain valid despite having junk data appended to them.
AngeCryption, implemented as a Python script available for download on Google Code, allows the user to choose an input and an output file and makes the necessary modifications so when the input file end up encrypted with a specified key using AES in cipher-block chaining (CBC) mode, it produces the desired output file.
Apvrille and Albertini took the idea further and applied it to APK (Android application package) files. They created a proof-of-concept wrapping application that simply displays a PNG image of Star Wars character Anakin Skywalker. However, the app can also decrypt the image with a particular key in order to produce a second APK file that it can then install.
In the researchers’ demonstration, the APK hidden inside the image was to display a picture of Darth Vader, but a real attacker could use a malicious application instead to steal text messages, photos, contacts, or other data.
During the demonstration, Android displayed a permission request when the wrapper application tried to install the decrypted APK file, but this can end up bypassed using a method called DexClassLoader so the user doesn’t see anything, Apvrille said. The image wouldn’t even have to be in the wrapper application and could end up downloaded from a remote server after installation, she said.
In order for the attack to work, some data needs to append at the end of the original application, but the APK format, derived from ZIP, does not allow appended data after a marker called the End of Central Directory (EOCD), which signals the end of the file.
However, the researchers found adding a second EOCD after the appended data tricks Android into accepting the file as valid. According to Apvrille, this should not happen and is the result of an error in Android’s APK parser.
The attack works on Android 4.4.2, the latest version of the OS, but the Android security team is aware and is developing a fix, Apvrille said.
Because of fragmentation in the Android ecosystem, especially when it comes to firmware updates, many devices will likely remain vulnerable to this attack for a long time, giving Android malware authors ample time to take advantage of it.
The researchers released their proof-of-concept code on Github and will also publish a paper.