Leaving our ZIP undone: how to abuse ZIP to deliver malware apps

Friday 26 September 12:00 - 12:30, Red room.

Gregory Panakkal K7 Computing

   This paper is available online (HTML, PDF).

  download slides (PDF)

2013 saw multiple high-profile vulnerabilities for Android, with the 'Master Key' Cryptographic-Signature-Verification-Bypass vulnerability topping the charts. Several specially crafted malware APKs exploiting this vulnerability appeared after PoCs were created by the initial discoverers. It was the difference in the two ZIP archive-handling implementations used by Android, one to validate the APK (using Java), and the other to extract the contents of the APK (using C), that led to this vulnerability.

ZIP is the de-facto standard packaging format for delivering applications and documents: Android Package (APK), Java Archive (JAR), Metro App (APPX), Office Open Format (DOCX, XLSX etc.). Android and Java malware, delivered via ZIP-based packages, have reached large volumes in the wild, and continue to grow at a steep rate. Therefore it is critical for anti-virus engines to scan the contents of these files correctly, matching the behaviour observed in the target environment.

This paper explores the ZIP file format, focusing specifically on APK as handled by the Android OS. It covers the existing design, and technical aspects of publicly disclosed vulnerabilities for Android. The paper also explores new malformations that can be applied to APK files to break typical AV engine unarchiving, thus bypassing content scanning, while keeping the APK valid for the Android OS. It briefly covers the concept of an amalgamated package ('Chameleon ZIP') - that could be treated as APK/JAR/DOCX based on the application that processes it, and the challenges this poses for AV engine components that attempt to scan content based on recognized package type.

Gregory Panakkal

Gregory Panakkal

Gregory R. Panakkal graduated from the Model Engineering College (CUSAT), India in 2005 with a Bachelor's degree in computer science and technology. During his college days, he worked part-time as a security consultant for Rediff.com, a leading online portal in India. Immediately after graduation he worked as a software engineer for Wipro Technologies, Bangalore. He joined K7 Computing in 2007 to pursue his passion for malware analysis and its detection technologies. He currently works on various anti-malware components that are part of the K7 security suite. His other interests include reverse engineering and vulnerability research.