Acropalypse is a vulnerability in Google’s markup editor (and Windows Snipping Tool). It allows an attacker to recover parts of a cropped or marked up image.
There are a couple specific steps you have to follow for the bug to happen.
Take a screenshot
Save screenshot
Crop or markup screenshot in Google Markup or the Windows Snipping Tool
Save screenshot with the same name as original screenshot
The bug is when you save the cropped screenshot with the same name, it overwrites the original file, but the markup tools are not resizing or truncating the file. Meaning that there is extra data in the screenshot.
For example in the following two screenshots, notice the size and dimensions
Here is the first screenshot
The second screenshot shows smaller dimensions because it was cropped, but the size is still the same.
Am I affected?
Potentially. Most images are reprocessed if they are being uploaded to a web service. Discord only started doing that in January. So if you have images on Discord before then, you may want to look into that.
You also have to specifically overwrite the original screenshot image. If you don’t normally save the image first you may be fine. Never hurts to check though.
macOS and so presumably iOS, appear to properly resize the image after cropping has taken place. That would lead me to suspect that iOS and macOS devices are not vulnerable to a variant of apocalypse.
Twitter Post about acropalypse.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
It is sometimes helpful to pull an APK from a working device so you can install it on a different device. These commands should work on an emulator, phone, tablet, or other Android device. You just need to be able to connect with ABD.
Connect to device with ADB
View installed apps
Find path for APK
Pull/Download APK
View Installed Apps
This will display a list of all the installed packages.
adb shell pm list packages
Find path for specific App/APK
Replace com.android.apk with the app of interest.
adb shell pm path com.android.apk
Pull APK to local machine
Pull/Download the APK of interest to your local machine with the following command. Change the path “/data/app/…” to the path returned from the previous command.
adb shell pull /data/app/info/base.apk
You can view the following link for more information.
In this case our second user id is 11. To get a list of APKs installed for our second user we would specify the –user= option
adb shell pm list packages --user=11
To get the path for the app we would run it with
adb shell pm path --user=11 com.android.apk
Split APKs
Split APKs can be slightly more difficult to manage, mainly due to the fact that there are multiple APKs to keep track of.
When you run the “pm path” command, it should return multiple APKs. Use the pull command like normal, but download each APK.
You’ll need to use a split APK installer to install all the APKs.
PowerShell script for Pulling/Downloading all APKs on Device
The following PowerShell script will download all APKs for a specific user and put them in their own folders.
Copy the contents to a .ps1 file
Enable ps1 execution policy if not already enabled
Run PowerShell script.
This script will pull all the APKs off of a device and put them in the current folder. It will also download split APKs.
# adbapkbackup uses adb to get a list of all the APKs you have on a phone and then
# Creates folders for each app and downloads the APKs for those apps.
# Copy and save code as a ps1 file
# Enable ps1 scripts to run on your computer by launching an Admin promopt and running
# set-executionpolicy remotesigned
# If you are in a secondary profile, add and/or modify
# "--user 15"
# to your user id
# adb shell pm list users
# If in secondary profile, add "--user 15" after packages before > apklist.txt
adb shell pm list packages --user 15 > apklist.txt
$apks = ((Get-Content .\apklist.txt)) -replace 'package:',''
ForEach ($apk in $apks) {
echo "APK is $apk"
md $apk
# If in secondary profile, add "--user 15" after path, before $file
adb shell pm path $apk
$filepath = ((adb shell pm path --user 15 $apk | % {$_.replace("package:","")}))
ForEach ($lapk in $filepath | % {$_.replace("package:","")}) {
echo "pulling $lapk $apk"
adb pull $lapk $apk
}
}
Restoring a Pixel to the factory image is a pretty straight forward operation if you are familiar with fastboot and adb. This guide assumes you have fastboot already installed and setup in your user path. If not you can refer to the following link for more information.
WARNING – THESE STEPS WILL DELETE ALL USER DATA OFF THE DEVICE.
You should be good now. You’ll need to relaunch and Command Prompts you have open, but you should be able to run adb without having to navigate to the adb folder.
