The Android Photo Hack: A Picture Says a Thousand Commands

By on Sep 09, 2016

Most people have heard the story of the Trojan horse. We’ve learned the moral of that story: don’t trust gifts from strangers. Today, nobody would use a giant horse statue – except maybe pranksters with a bad sense of humor – although similar tricks exist in digital form. People are wary of unknown .exe files and sudden downloads from corny pop-up ads. They trust more familiar file types such as .jpg. But in the latest incarnation of the Trojan horse, malicious code can be hidden in images, allowing cybercriminals to take over Android devices.

Google moves quick and has already issued an Android update. Once those software changes occur on a device, this loophole will be resolved. Another positive, this tactic hasn’t been found in common use – it was a discovery by cybersecurity researcher Tim Strazzere. So ultimately, the photo hack is not a widespread threat. But people should be aware and educated nonetheless. Understanding how cybercriminals act is the first step to knowing how to stay safe online.

Truth be told, hiding malicious code in other forms isn’t a new tactic. Crooks have concocted all manner of disguises. Infected Microsoft Word documents have even been found. When users launch these infected files on their PC, malware is installed to steal sensitive information. The photo method is only the latest in this context.

What’s unique in this case is the caveat that villains can get their way without images being clicked on. Let’s jump into brief technical details to explain how. When photos are sent to your Android device, some of that data is processed before users open the file. This is known as parsing in computer terms: the unpacking and separating of information. See, smartphones need to know what data to process when users open a file. But first, they must look at other data to understand the nature of the file type. That’s where cybercriminals could package secret instructions to be triggered from the get-go.

What happens then? Well, the malware can “brick” users’ devices, meaning they are rendered unusable. Cybercriminals then gain remote access to the smartphone. With all the sensitive information our devices now store, crooks could snatch quite a bit! Think of all those financial details, passwords for online accounts, and emails. Additionally, perpetrators could even use the phone’s applications to their gain, and the user’s expense.

Now remember, Google already issued an Android update to combat this – so there’s no need to panic. The threat, however, should open some people’s eyes. A range of sneaky threats exist out there, and education is key. This won’t be the last reincarnation of the Trojan horse. But with the right security knowledge, people can help to keep themselves safe in our digital age.

With that in mind, here are three cybersecurity tips to act on:

  • Don’t over-expose yourself on social media and chat apps. For this photo trick to hijack your Android device, someone has to first send you an image. How will they do so? Probably over Facebook message or another chat app. So think of security in layers: at the very perimeter, don’t allow just anyone to contact you. This also protects you against social media bullying.
  • Update your device as soon as possible. Large companies have cybersecurity teams working to protect customers, but updates may depend on users. In this case, once Google received the report, the latest Android update was tailored to resolve the vulnerability. Make sure to update your devices and applications as well.
  • Be wary where you browse and what you open. As threats evolve, cybercriminals continue to serve malware in advanced methods. Some people could receive an email with an infected Microsoft Word attachment, while others could accidentally end up on an unsecure website. Always make sure what’s on your screen is authentic. Double check email senders. Look for the official URL. Be mindful and aware.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee on Twitter, and ‘Like’ us on Facebook.

gary

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Subscribe to McAfee Securing Tomorrow Blogs