14 DAY TRIAL // Using a custom tool, input appearing as a PNG/JPG image or an Adobe document, can be decrypted into a malicious payload, which can escape malware scanning solutions on Android.
Dubbed AngeCryption and created by Albertini, the method proves that any input can be encrypted into a valid output (supported formats are PNG, JPG, PDF, and FLV) and look no different than a resource required during the installation of an Android application package (APK).
AngeCryption has been made available as a Python script and it can be downloaded from Google Code.
Anakin Skywalker becomes Darth Vader
An attack scenario would consist of hiding a malicious APK intended for compromising the mobile device into a valid image. Any payload on any current version of the mobile operating system would work for such an attack, the two researchers said during their presentation.
The technique was devised by Axelle Apvrille, senior antivirus analyst and researcher at Fortinet, and reverse engineer Ange Albertini and presented at the Black Hat Europe security conference in Amsterdam last week.
In their demonstration, the researchers encrypted an image of Star Wars character Anakin Skywalker using the AES algorithm in cipher block chaining (CBC) mode; 3DES can also be employed with the same success.
By manipulating the output of encryption bytes with AngeCryption, another picture selected by the duo would become available upon decryption, that of Darth Vader, which could be substituted by any other file (malicious APK for instance).
A simple hack completes the attack
Simply stuffing the malicious payload into the encrypted output file is not sufficient for the attack to work. Some data needs to be appended at the end of the original package, after a signature (end-of-central-directory - EOCD) marking the end of the compressed file.
APK is basically a ZIP archive and it does not permit any data to be added beyond the EOCD. In this event, the attack would not work; however, by adding a second marker the researchers managed to successfully complete their proof-of-concept, the slides explain.
Installing an app generates permission’s requests, which would reveal to the user that a second APK has been deployed on the device; but the procedure can be made invisible through several techniques, DexClassLoader being one of them.
A proof-of-concept demostrating this type of attack has been sent to the Android security team on May 27, 2014, who will release a fix for the issue in a future release.