Analysis Report on Malicious App Using Steganography
1. Overview
Steganography is a data hiding technique that involves embedding data to be concealed within a normal file. It is commonly used in Windows environments to insert malware into a normal file to evade detection by anti-malware products and aims to operate covertly when the program is executed.
There have been numerous instances where malicious apps have used techniques like payload downloading and packing to conceal their behavior. However, this is the first known case of an app hiding DEX information within image files.
This report will cover image files that have been manipulated using steganography and their sources, along with the analysis of DEX files extracted from these images.
2. Analysis
2.1. APK Information
The basic information of the analysis target is as follows in Table 1.
Table 1. File information
2.2. Execution Screen
Upon running the app, the DEX which performs actual malicious behaviors is loaded after a certain calculation is performed within the image file. In the case of the app discovered this time, unnecessary processes are repeatedly called during execution, leading to an infinite loop and preventing the app from running normally. However, given that some code includes functions for image preprocessing tasks such as grayscale, it is anticipated that these features may be used in the future to conceal the DEX.
Figure 2. App execution screen
2.3. Analysis Information
The files stored in the assets folder consist only of PNG image files, which appear normal when extracted.
Figure 3. Image files stored in App
Figure 4. Image files applied with steganography
The 23 files within the assets folder that contain the DEX information are read.
Figure 5. List of files with hidden DEX information
After reading the files in the assets folder, the app stores the result in a buffer following a calculation process and then loads the DEX file using the InMemoryDexClassLoader class.
Figure 6. Loading DEX through InMemoryDexClassLoader
