How Malware Hides in Images and What You Can Do About It

How Malware Hides in Images and What You Can Do About It

There are plenty of dangers to watch out for when it comes to keeping your devices and your data safe, including viruses, phishing attempts, compromised wifi networks, and rogue USB sticks. Here, we’re going to talk about one of the lesser-known threats: Compromised images.

You might not have realised it, but malware can be injected into digital photos that appear to be perfectly normal. The technique for doing so is known as steganography, or the practice of hiding one file in another, and it’s not always done maliciously. The method takes advantage of the hidden data that comes along with an image, data which isn’t necessarily translated into pixels on your screen.

Almost any image format can be edited to conceal malware, and the more appealing and popular the picture, the better: Images from the James Webb telescope were recently used as part of a malware attack, for example. Typically, these compromised pictures get served to you on websites or embedded in documents.

There's more to image files than meets the eye. (Screenshot: Adobe Photoshop Elements)
There’s more to image files than meets the eye. (Screenshot: Adobe Photoshop Elements)

Those are the basics, but the exact details of this threat vary between attacks. Malware code can be embedded in an image in a few different ways, for example: Attached to the end of a file, or through slight tweaks to individual bits of the code, or through changes to the metadata associated with a file (this metadata also stores the time and date the photo was taken, and other information).

In one recent attack, the ObliqueRAT malware was hidden inside a seemingly ordinary bitmap file displayed in a browser tab. In this case, a Microsoft Office email attachment was used to direct unsuspecting targets towards the image, but a variety of other methods can be deployed as well — as long as the image gets loaded, the exploit can work.

Whatever the details, the image acts as the carrier for something dangerous, like the Trojan horse of Greek lore. Pictures can carry code to cause damage to a system, to set up a ransomware request, or to start mining crypto on a computer. There are many different variations and possibilities, and of course new threats are being developed all the time. In fact, any file can be used as a carrier — videos and documents work as well as images.

Web browsers are well protected against this kind of threat — but keep them updated. (Screenshot: Google Chrome)
Web browsers are well protected against this kind of threat — but keep them updated. (Screenshot: Google Chrome)

One of the reasons these attacks work so well is that an image file seems a lot more innocent than an executable file. Even if you’re unlikely to download and run an app you don’t know anything about, you might be tempted to take a look at a picture someone has sent you — especially if it’s a majestic shot of deep space, as with the James Webb telescope example.

As with other security threats, bad actors and security experts are in a constant battle to stay ahead: For instance, threat intelligence company Reversing Labs has a great blog post about how the EXIF data attached to an image (those details around when the photo was taken and which camera was used) can be compromised to execute code. There are plenty more examples out there.

At this point, you might be wondering if you should ever load an image in your web browser or email client again. The setting to block this is actually available in most browsers if you really want to be on the safe side — in Chrome, for example, open Settings from the menu and then click Privacy and security, Site settings, and Images.

Go ultra-secure and turn off images in your browser. (Screenshot: Google Chrome)
Go ultra-secure and turn off images in your browser. (Screenshot: Google Chrome)

The good news is that your web browser will be actively looking for online threats and should shut down the majority of malware attacks that come through images before they can do any damage. Computer security is never 100 per cent guaranteed, but you’re most likely going to be fine if you carry on loading images as normal, thanks to the limits that browsers put on what websites are able to do — just make sure that your browser is always up to date.

It’s also worth bearing in mind that almost all the images you see on social media have been modified and compressed on their way to a data server, making it very difficult for a bad actor to hide code that’s still fully preserved by the time the image makes it in front of anyone’s eyeballs. Image-based malware isn’t a particularly common threat, but it’s still worth knowing about and protecting yourself from.

All the same security rules apply to keep yourself safe from image-based attacks as for any other kind of threat. Make sure your programs are always running the very latest versions, be wary of opening anything that comes your way over email and social media (even if it appears to be from someone you trust), and for extra peace of mind, get a third-party security software suite installed on your computer.