back to article NOT OK GOOGLE: Android images can conceal code

Someone's found (yet) another nasty security flaw in Android, by crafting a way to pack malicious software to look like images. The good news is that disclosure was kept back until Google had put a fix in place; the bad news is, of course, the huge number of phone-owners who never update – either through choice, ignorance or …

  1. Anonymous Coward
    Coat

    What did you expect...

    Everyone knows Google = The Matrix!

    (Mine is the ankle length black leather jacket with the designer sunglasses in the pocket)

  2. saundby

    Many phones and low-end tablets can't be upgraded or are dependent on a vendor that will never post an update.

    1. mythicalduck
      FAIL

      It's not really a threat, because it's "delivered inside an innocuous wrapper app", which means you have to install a trojan app first - manually...

      and if you're installing trojan apps, then you're buggered anyway

      1. Anonymous Coward
        Anonymous Coward

        Re: if you're installing trojan apps, then you're buggered anyway

        ... and so it's just as well the trojan apps come with clear instructions that they should never be installed.

        (but let's not make it too easy for them, just in case)

      2. Dan 55 Silver badge
        FAIL

        You've missed the final part of the sentence in TFA which says the wrapper app "gets past both security apps and Google's Bouncer", which means it can be downloaded from the Play Store. Google's fix was to push out an update to Android which might never be installed.

        1. Anonymous Coward
          Anonymous Coward

          re: Google's fix was to push out an update to Android

          Now I think of it, since it's their Play Store, couldn't they (also) just unpack/check every package on there to ensure that it conforms properly, and block it if it doesn't? (but perhaps they do already?)

        2. os2baba

          And you think that Google didn't fix Bouncer to prevent the app from getting into the Play Store in the first place? And you think they didn't fix "Verify Apps" which runs on your phone? And which is delivered via Google Play Services all the way back to GB devices?

          This is exactly the kind of bugs that Google can fix with Bouncer and Verify Apps.

          1. Dan 55 Silver badge

            I don't know, they only mention releasing an update to Android. Possibly Bouncer or Verify Apps weren't originally designed to check apps inside apps.

      3. Anonymous Coward
        Unhappy

        If I get this right....

        ... it's like the MS JPG issue from several years back. In order to get "infected" by the jpg, your machine had to be compromised first.

        This is the same thing, but comes in a lovely all-in-one package.

        Nice to see past mistakes are learnt and improved on to make the customer experience easier.

        1. sabroni Silver badge
          Thumb Up

          Re: it's like the MS JPG issue from several years back.

          No it's not! This is Google, hence fixing it in an update is ok and we can move on. Nothing like MS!!!

        2. Michael Thibault
          Joke

          Re: If I get this right....

          It's ... like ... déjà vu all over again?

  3. ajft

    Don't blame the phone owners "who never update", blame the vendors and telcos who never provide the updates, their business model is based on selling new phones, they have zero interest in providing updates or support to the old ones.

    1. Cliff

      Indeed. Although I have G1 at home (consider me the classic early adopter) and I'm petty sure it's incapable of running anything beyond v1.6, whether the network support that or not. It's the equivalent of still running Windows 98

      1. Voland's right hand Silver badge

        Are you sure?

        Although I have G1

        HTC G1 can definitely run at least 2.2 courtesy of Cyanogen. Probably later too (just not an official mainstream cyanogen port any more). Same as my Xperia Arc - it is officially not able to run anything past 4.0 and that was pretty awful, its max stable (and buggy) Cyanogen was 9. It is running at present a reasonably up-to date 4.4.4 courtesy of the Legacy Xperia cyanogen spinoff project which is ahead of what most new phones coming of the factory lines are running. It is also reasonably bug free. Average uptime is weeks of heavy use (mostly as "newspaper" and GPS).

        As an added bonus I no longer have the Tw*tter and F***book taking all of the rather scarse application partition space. So something that should have been replaced by now is still perfectly usable and will probably remain "in-service" for a couple of extra years.

        It will also be replaced by another Sony for this exact reason - you can get a bootloader unlock from the manufacturer straight away and all top of the line models have excellent Cyanogen/AOSP support.

        1. eulampios

          the ancient HTC Inc running Kit Kat 4.4.4 here

          Running evervolv AOSP 4.4.4 on the old HTC Inc, it's been pretty stable and smooth, except for a few video driver related nuisances and the fact that the /system partition is soldered to be ridiculous 250 MB, the datadata partition is not too big either, 150 MB. Despite all that and thanks to the community it's fun to use.

      2. Anonymoist Cowyard
        Stop

        You must be littered with malware if the press are to be believed. Oh your not??? That doesn't make sense....

        With billions of android devices out there, everyone will know someone that's had an Android malware infestation on their device? Oh we don't? That doesn't make sense....

        This reporting nonsense has to stop, it's watering down the worth REAL malware threats.

    2. Anonymous Coward
      Anonymous Coward

      That's why telcos and vendors should not be able to handle the update process (or remove functionalities), and it should come from the software vendor itself.

      Think if HP, Dell, Lenovo, etc. could control what software updates and features you can install on your PCs... of course they would try to stop updating older machine and force you to but new ones - Apple, which controls both the HW and SW side, does something alike when new OS releases no longer support older but still valid models.

      Google anyway is not interested in spending money in efforts to keep your OS updated... after all your phone is just a Google terminal to access your data. Only if Android market starts to shrink seriously under security issues Google will change something, otherwise it has no real interest.

      1. Dan 55 Silver badge

        Many OEMs and operators already have a copy of their apps on Play anyway, from there it's a small step to Google automatically pushing apps on the OEMs' and operators' behalf to the phones on first run, i.e. you update base Android then get OEM customisation apks, operator customisation apks, and Google Play Services pushed to the phone.

        If ever you were to install or update to another version of Android you could get the customisation downloaded again.

        If the OEM and operator apks weren't suitable for that device and version of Android then they wouldn't get downloaded and you'd have fewer customisations or even a base install if neither OEM nor operator manage to get their finger out. That would be an incentive for them to keep their customisation up to date and making it useful instead of letting it rot.

        Probably not as simple as I'm making out (binary blobs, configuration, etc... which also need to be installed into base Android for the phone to work) but anything's got to be better than the current unholy mess. It can't be rocket science to get it figured out.

      2. chris 17 Silver badge
        WTF?

        Apple, which controls both the HW and SW side, does something alike when new OS releases no longer support older but still valid models.

        can you cite examples? my 2008 Aluminium MacBook 13 inch is running Yosemite just fine, it's the non 64 bit intel Macs that can't upgrade so anything less than a core 2 Duo can't be os upgraded (that's Intel Core Duo & Intel Core Solo).

        http://support.apple.com/kb/ht3696

        Supporting 6 year old machines is quite good i think.

        1. Michael Wojcik Silver badge

          Supporting 6 year old machines is quite good i think.

          Really? I'd call it a barely-acceptable minimum, if that.

  4. Anonymous Coward
    Anonymous Coward

    I think it's very clever of Google..

    .. to fragment the Android market place. Whenever there is a cockup, it's finger pointing all around, but nobody ever really picks up the blame. That's about as brave as telling everyone they have no privacy, but making sure your own details aren't available. Way to go, Google.

    1. eulampios

      Re: I think it's very clever of Google..

      ..to fragment the Android market place.. it's finger pointing all around, but nobody ever really picks up the blame.... this behaviour encouraged Putin to snatch Crimea...

      How did you figure this all out? My tin foil hat is off for your very intricate yet so logical train of thought. And where is your own tin foil hat, dear AC? Where's the tin foil icon, El Reg?

  5. Unicornpiss
    Alert

    @Sony

    I did not realize that Sony was so hacking-friendly with their devices. I'm amazed that they not only tolerate, but encourage tinkering with their phones. Is Sony's smartphone division a rogue faction that doesn't talk to anyone else in the company? I say this based on their attitude towards allowing owners of PS3s to run Linux (promised, then taken away), and everything else they publish being DRM'd within an inch of its life. Is Sony finally waking up? My next mobile device may be made by Sony then.

    I've always thought Sony built decent stuff, but their business plan of the last few years seems to be summed up by: 1) Ignore user wishes/privacy/security/fair use rights. 2) Invoke the ire of everyone. 3) Deny any wrongdoing until it's embarrassingly plain that they're lying. 4) Lose tons of money in settlements to wronged users and hasty after the fact fixes.

    1. Dan 55 Silver badge

      Re: @Sony

      Remember they were Ericsson working in partnership with Sony for a long time before being swallowed up.

      Either Sony haven't noticed yet or they've let them get on with it.

    2. ecofeco Silver badge

      Re: @Sony

      Sony is an overpriced brand riding on their years decades past accomplishments and name recognition.

      It is really very sad. I remember when they broke into the western market with superior and cheaper radios and TVs back in the late 1960s and early 1970s and dominated for the next 30 years, then lost their way in the late 1990s.

      "No baloney, it's a Sony!"

  6. The Mole

    "It also does not enable UK law enforcement agencies to take action against UK citizens committing cyber crime offences whilst physically outside the UK on the basis of their nationality alone."

    Good, and that is the way it should stay. Whilst I quite agree that some really really serious crimes should allow extra-territorial jurisdiction (crimes against humanity for instance), hacking certainly isn't one - let the country where you perform the act in prosecute the act.

  7. Kay Burley ate my hamster

    Google has pitched out a fix for Android 4.2.2

    Sorry El Reg? Can you clarify? Does this only affect version 4.2.2?

  8. paulf
    Holmes

    No updating

    FTA: "...the huge number of [android] phone-owners who never update – either through choice, ignorance or that their handset-maker holds back upgrades."

    Which of those three options is the most likely?

    [Hint it isn't the first two! And to debunk the ignorance angle, the last Android handset I had would check for updates once a week and ping an alert if one was available].

    Looking at the typical update rates on iOS (yes, I know, excepting iOS 8.0.x) it looks like there aren't significant numbers of users that are complete refusniks when it comes to updating phone software.

  9. Mage Silver badge

    Doomed I tell ye!

    Total security is impossible. Someone will find another way to load code hidden in content.

  10. Anonymous Coward
    Anonymous Coward

    Could this be sent over email?

    If someone sends you an email with a .apk attachment, is it possible to install that? Most people know these days not to click on unknown attachments, and spam filters will remove exe files and may remove apk as well.

    However, if it looks like a jpeg, many people feel safe clicking on it. If after clicking on it, it shows an image and there's also a pop up for installing an app with a name like "Facebook Messenger update" they might think it was an automated thing unrelated to the email and click OK. If it works with inline images, simply opening/previewing the image would be enough to launch the installer dialog.

    I wonder if we're going to see a lot of spam using this technique in a few weeks? If what I'm suggesting can be made to work, the Android malware problem is going to grow exponetially in the next few months.

    1. Old Handle

      Re: Could this be sent over email?

      Yes it's possible to install a .apk sent through email (if you turn off the restriction to install only for Google). But it doesn't sound like just clicking on the image would do anything, although it wasn't totally clear. It sounds like you need a "helper" evil app already installed for the code embedded in the image to do anything.

      1. eulampios

        Re: Could this be sent over email?

        Even if you allow side-loading a package manager would still ask you your permission to install and let you examine the permissions of the app etc.

    2. eulampios

      Re: Could this be sent over email?

      You must be talking about MS Windows which operates by extensions , not file permissions plus file headers/utilities, both user and the system can be tricked by the former.

      What this vulnerability allows to do is that one can "hide" a piece of code inside the apk already. It says in the linked paper that one can insert "another apk" inside the given one hidden in an image. That hidden apk can be installed later. It is unclear what the authors mean by "another apk", since every Android Application Package gets installed under unique uid and guid (permissions). The vuln. is not a privilege escalation type as well. So it's just a concealing code type then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like