Instagram app hacked by images with malware

[German]Security researchers at Check Point have succeeded in attacking the Instagram app on smartphones by successfully posting malware-infected images. This allowed the theft of account credentials and mobile device monitoring. The vulnerability has now been fixed.


I received the message from the Check Point security researchers by email today at noon. Instagram currently has over one billion users worldwide. That's why the Check Point people took the popular Instagram social media platform and scanned it for vulnerabilities. They found one dangerous vulnerability. Using a contaminated photo, the experts were able to steal user accounts and monitor mobile devices.

An infected photo is enough for the hack

The process is simple: Attackers simply had to send an infected image to a user via email, WhatsApp or MMS – or any other platform of their choice. Once the user saves the image (which is automatic with WhatsApp under factory defaults) and opens the Instagram app on their smartphone, the malware behind the image is activated. This gives the attacker full control over the victim's mobile device for remote control. The attacker then has several options:

  • The hacker can crash the Instagram app and deny the user access to it until it is deleted and reinstalled. This can lead to loss of data.
  • The hacker can also gain access to the victim's Instagram user account and view their messages and pictures, delete and publish new ones, and change their profile data.
  • Finally, he can turn the smartphone into a bug because the Instagram app requires an enormous amount of access permissions to various features of the smartphone.

This last point in particular comes in handy for the attacker, as it allows him to view contacts, GPS location, stored files and read the camera.

Bug in open source decoder Mozjpeg

The security researchers found the vulnearbility in Mozjpeg, an open source decoder for jpeg images. Instagram uses this decoder to load images into the application. For this reason, the experts warn all developers against using such third-party programs without thoroughly testing their security. 

"On the one hand, our research shows that third-party program databases can be a dangerous gateway. Therefore, we recommend that all developers thoroughly examine this software before it is included and puts the entire app structure at risk. Such third-party programs from open source sources are widely available. We also strongly advise all users to find out what kind of permissions an app requires during installation, which are often far-reaching. This is the strongest line of defense against smartphone attacks," explains Yaniv Balmas, Head of Cyber Research at Check Point Software Technologies.


Vulnerability now eliminated

The vulnerability was discovered by Check Point six months ago and reported to Facebook, the owner of Instagram. The vulnerability was closed soon after, but Check Point decided to wait a long time so as not to put users at risk. The security researchers hoped that all users would have the patches installed by now. Facebook listed the vulnerability as CVE-2020-1895. An overview of the research can be found in the Check Point blog in this article. Technical details can be found here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.