"This String of Emojis Is Actually Malware"
In the future, hackers could compromise someone simply by sending a random string of emojis to their computer or cellphone. When hackers discover a flaw in a target computer or cellphone, they create an exploit or piece of code designed to exploit the flaw and take control of the target. The exploit, like any other code, usually contains strings of letters and symbols, but new research shows it does not always have to be the case. Security researchers Hadrien Barral and Georges-Axel Jaloyan have discovered a way to deliver an exploit to a target using only a series of emojis. The hacker needs an emoji-only input, also known as an emoji-only shellcode, to exploit the vulnerability, according to Barral and Jaloyan, referring to the code that gives hackers a "shell," which is a prompt they can use to send commands to the compromised machine. Jaloyan explained that an exploit must first pass through a filter before being sent to the target. For example, if a hacker sends their payload via a form that only accepts letters and digits, the payload should also be made up of letters and digits. Therefore, an emoji attack only works if it passes through a filter that only accepts emojis, which, according to Jaloyan, does not exist at the moment. Nonetheless, Barral and Jaloyan's research and proof-of-concept (POC) demonstrate that using emojis to hack targets is feasible. Their primary contribution is an emoji-only payload that spawns a shell. The researcher's plan is to educate defenders, demonstrating that this is a possibility and encouraging them to change their behavior. They hope this study will assist penetration testers in applying this new technique to similar problems, as well as blue teams in rethinking their threat model and improving malware detection. Barral and Jaloyan discovered that some software has difficulty processing emojis during their research, showing that not all computers and programs support them. This article continues to discuss the new research on the use of a series of emojis to deliver an exploit to a target.
VICE News reports "This String of Emojis Is Actually Malware"