We now live in the age of the image. Hardly a day goes by when we don’t download or share an image of friends or family. The saying ‘A picture is worth a thousand words’ has become a motto for our everyday lives.

Well aware of this are those who prowl the Internet with malicious intent. They know that images are now swarming across the Web, and as such represent the perfect Trojan horse to conceal malicious content. In fact, had it not been for Axelle Apvrille and Ange Albertini, many have already tried. These researchers were responsible for uncovering a crack in the defensive wall of Google’s mobile operating system, through which images can be used to hide malicious software, which could then slip past the system’s protection.

android-mobile

At the latest Black Hat Europe event in Amsterdam, these cyber-security experts presented their work on the vulnerability in Android. Due to this flaw, malicious users could reach the smartphone or tablet of any user through an image which, when downloaded, would become a file that could infect the device.

According to Apvrille and Albertini, the malicious payload could be concealed in any image, regardless of format. Whether a .png or .jpg, what to the naked eye is simply a picture of a person, could simply be a front for code that would be released from the image and spread malware.

To demonstrate the existence of the vulnerability, they created a tool called AngeCryption, which let them convert images into packets. Thanks to this, they could hide anything they wanted to transmit from one device to another without security systems or Google’s own scanner being aware of its existence. So behind an apparently inoffensive image there could be an .apk, the type of executable file that allows applications to be installed.

pic-mobile

In the proof-of-concept presented by the researchers, they used an image of Darth Vader to hide a malicious app designed to steal photos, messages and other data from the devices it is downloaded to.

Imagine a contact sent you an image via WhatsApp and you downloaded it, without you knowing an app would be installed on your device that could search for and steal anything it found. This is precisely what this vulnerability allows.

“Such an attack is highly likely to go unnoticed, because the wrapping Android package hardly has anything suspicious about it,” explain Apvrille and Albertini. They also warn that this flaw has been present in all versions of Android so far.

The discovery of this security hole was kept quiet until the researchers were able to inform Google and the company’s security team had time to fix it. So are you now safe? Yes, but only if you remember to upgrade your smart phone or tablet. If you don’t, you will be exposed to potentially nasty surprises.

So we advise you:

  • To be careful with photos from unknown sources
  • Install any available Google updates.

Also, as prevention is better than cure, install our antivirus for Android devices. Why take unnecessary risks?