[BlackHat Europe 2014] Hide Android Applications in Images

Presented at Blackhat Europe 2014 Slides can be found here and paper here At Hack.Lu 2014, presented the same topic as a lightning talk


Malware authors are always interested in concealing their goals to evade detection.
We have discovered a technique which enables them to hide whatever payload they wish in an Android package (APK).
The malicious payload is encrypted with AES, thus its reverse engineering does not give in any element.
Moreover, contrary to general belief, it is actually possible to manipulate the output of encryption and have it look like, for instance, a chosen image. Thus, the encrypted malicious payload can be crafted to look like an absolutely genuine image (of Anakin Skywalker ;).
We demonstrate with a Proof of Concept application that the attack works on current Android platforms, and we also explain how it works and how the payload is crafted.
This talk is not (or only very little) about cryptography. Understanding file formats, that's the magic :).

References

https://www.blackhat.com/eu-14/briefings.html http://2014.hack.lu