Privacy and security are two elements highly valued by Internet users. One thing you may not know is that those files we have from Office, music, photos and more have metadata. If we observe them carefully, thanks to them we can obtain additional descriptive information about that file. For this reason, when it comes to sharing or sending a file, you have to be careful because it can offer some of our data. Regardless of this, they can generally be useful to us, but the problem is that a way to infect our computers has been discovered. In this article, we are going to see how cybercriminals hide malware in image metadata.
The first thing we are going to do is explain what metadata is and we will give a practical example with an image. We will then see how malware is used in image metadata.
What is metadata and how to view it
Metadata is data that is used to describe other data. These data in question are those automatically generated by our computer or smartphone through the use of different programs or applications. We are not going to have to do anything and what they do is provide a description of that file.
If we want to see them in Windows it is very simple. We go to the file explorer, we select a photo, we press it with the right mouse button, we select Properties and we go to the Details tab. Then we would see data similar to this:
Depending on the type of file, it can show your name, for example, in an Office file or the geographical location in a photo. That is why it is sometimes convenient to remove the metadata from a file or photograph.
The danger of malicious software in metadata
Phishing is one of the great dangers that we can find in our email inbox. However, imagine a threatening new world where malware lurks invisibly everywhere. In that regard, something even as simple as opening the wrong image online could be enough to put our data and equipment at risk.
Thus, profile images with Trojans have been seen in Slack, Discord, WooCommerce and Steam. All of them contained a dangerous hidden code in which the image acted as a container and transmitted the malware without necessarily being infected. These types of attacks reach victims through a series of channels that are supposed to be safe and it is none other than metadata.
Cybercriminals are covertly inserting malicious software into the metadata of a user’s profile picture and trying to elude the authorities. The problem is that it is very difficult to detect without delving into each of the images uploaded to a given server. You may be interested in knowing the types of metadata that exist and what they are used for.
How to detect malware in metadata
We have already seen that images can sometimes contain threatening malware. The problem is that it’s not always easy to spot, even using EXIF parsing software and Jeffrey’s Image Metadata Viewer. If we want to find malicious software in the metadata we need to know what we are looking for. The problem is that the average user does not always have the necessary experience or technical knowledge to do so.
An example of metadata malware can be found in a JPEG meme showing the wrong length for its ICC profile, after being examined with an EXIF tool. Typically, this is where the output standard for the image is located which has been superseded by encrypted JavaScript malware. In short, malware in the metadata can compromise our computers if we open an image from the aforementioned websites, an email attachment, or through a malicious web application.