Favicon Trojans: Executable Steganography Via Ico Alpha Channel Exploitation
David Noever, Forrest McKee
2025-07-15
Summary
This paper talks about a sneaky new way to hide harmful computer code inside website icons called favicons. These icons look normal to users but contain hidden JavaScript code inside their transparent parts that can run automatically when a webpage loads.
What's the problem?
The problem is that favicons are usually trusted and treated just like pictures, so current security tools often don’t check them deeply. Attackers can exploit this by embedding malicious scripts inside the icon images without changing how the icon looks, making it hard to detect and dangerous because the code runs silently in browsers.
What's the solution?
To demonstrate this, the researchers created a method of hiding compressed JavaScript code inside the alpha transparency layer of 64x64 pixel ICO files used as favicons. When a browser loads the favicon, it can secretly extract and run this code using normal JavaScript features without needing any extra downloads or user actions. The paper also explains how this trick can bypass many common security protections and antivirus scans.
Why it matters?
This matters because it reveals a hidden security risk that blurs the line between harmless images and harmful executable code on the web. It shows how attackers can cleverly use required web features to deliver malware in ways that current defenses might miss, pushing security experts to improve protection methods against these invisible threats.
Abstract
This paper presents a novel method of executable steganography using the alpha transparency layer of ICO image files to embed and deliver self-decompressing JavaScript payloads within web browsers. By targeting the least significant bit (LSB) of non-transparent alpha layer image values, the proposed method successfully conceals compressed JavaScript code inside a favicon image without affecting visual fidelity. Global web traffic loads 294 billion favicons daily and consume 0.9 petabytes of network bandwidth. A proof-of-concept implementation demonstrates that a 64x64 ICO image can embed up to 512 bytes uncompressed, or 0.8 kilobyte when using lightweight two-fold compression. On page load, a browser fetches the favicon as part of standard behavior, allowing an embedded loader script to extract and execute the payload entirely in memory using native JavaScript APIs and canvas pixel access. This creates a two-stage covert channel requiring no additional network or user requests. Testing across multiple browsers in both desktop and mobile environments confirms successful and silent execution of the embedded script. We evaluate the threat model, relate it to polymorphic phishing attacks that evade favicon-based detection, and analyze evasion of content security policies and antivirus scanners. We map nine example MITRE ATT&CK Framework objectives to single line JavaScript to execute arbitrarily in ICO files. Existing steganalysis and sanitization defenses are discussed, highlighting limitations in detecting or neutralizing alpha-channel exploits. The results demonstrate a stealthy and reusable attack surface that blurs traditional boundaries between static images and executable content. Because modern browsers report silent errors when developers specifically fail to load ICO files, this attack surface offers an interesting example of required web behaviors that in turn compromise security.