Hide Android Applications in Images

Presented at Black Hat Europe 2014, Oct. 16, 2014, 3:30 p.m. (30 minutes).

Malware authors are always interested in concealing their goals to evade detection.

We have discovered a technique which enables them to hide whatever payload they wish in an Android package (APK).

The malicious payload is encrypted with AES, thus its reverse engineering does not give in any element.

Moreover, contrary to general belief, it is actually possible to manipulate the output of encryption and have it look like, for instance, a chosen image. Thus, the encrypted malicious payload can be crafted to look like an absolutely genuine image (of Anakin Skywalker ;).

We demonstrate with a Proof of Concept application that the attack works on current Android platforms, and we also explain how it works and how the payload is crafted.

This talk is not (or only very little) about cryptography. Understanding file formats, that's the magic :).


Presenters:

  • Axelle Apvrille - Fortinet
    Axelle Apvrille is a Senior Antivirus Analyst and Researcher at Fortinet, where she more specifically looks into mobile malware and "Internet of Things". She has presented at various security conferences, including VB, EICAR (best paper award), InsomniHack, ShmooCon, Black Hat Europe, Hack.Lu... Known in the community by her more or less mysterious handle "Crypto Girl," she changes from office worker during the day into mighty hacker at night. Like Neo, but with a superhero costume.
  • Ange Albertini
    Reverse engineer, author of Corkami

Links:

Similar Presentations: