http://www.theregister.co.uk/2014/10/22/android_can_be_tricked_into_loading_malware_obfuscated_in_pngs/
By Richard Chirgwin
The Register
22 Oct 2014
Someone's found (yet) another nasty security flaw in Android, by crafting
a way to pack malicious software to look like images.
The good news is that disclosure was kept back until Google had put a fix
in place; the bad news is, of course, the huge number of phone-owners who
never update -- either through choice, ignorance or that their
handset-maker holds back upgrades.
The researchers have found that it's possible to trick the Android app
wrapping system so that an image can be wrapped up with malware, and
delivered inside an innocuous wrapper app, which gets past both security
apps and Google's Bouncer.
The basis of the attack is a custom encryption package (which they dubbed
AngeCrypt) that makes the malicious APK look like a valid PNG image file
(other image formats work as well).
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
