A security flaw in Android means hackers can create malicious software that looks like an image.
By wrapping up a photo or graphic with malware, it can be delivered in a way which gets past security apps and the Google Bouncer security scanner.
Google kept the security flaw quiet until it had provided a patch for its software, however users who rarely update their phone's operating system are likely still at risk.
The technique works by making malicious code look like a valid image format - such as PNG or JPG - using a custom encryption package.
The flaw was detailed by researchers Axelle Apvrille and Ange Albertini on the Black Hat hacking news website.
Writing before the problem was patched they said: "Such an attack is highly likely to go unnoticed, because the wrapping Android package hardly has anything suspicious about it, and nothing about the payload leaks as it is encrypted.
"Additionally, the attack works with any payload and currently on any version of Android."
In the researchers' demonstration, a malicious application designed to steal photos, messages and other data was designed to look like an image of Darth Vader.
By wrapping up a photo or graphic with malware, it can be delivered in a way which gets past security apps and the Google Bouncer security scanner.
Google kept the security flaw quiet until it had provided a patch for its software, however users who rarely update their phone's operating system are likely still at risk.
The technique works by making malicious code look like a valid image format - such as PNG or JPG - using a custom encryption package.
The flaw was detailed by researchers Axelle Apvrille and Ange Albertini on the Black Hat hacking news website.
Writing before the problem was patched they said: "Such an attack is highly likely to go unnoticed, because the wrapping Android package hardly has anything suspicious about it, and nothing about the payload leaks as it is encrypted.
"Additionally, the attack works with any payload and currently on any version of Android."
In the researchers' demonstration, a malicious application designed to steal photos, messages and other data was designed to look like an image of Darth Vader.
