Can images contain malicious code and malware?

Updated at: Oct 01, 2019
By Gatefy

Images and malicious code and malware

That photo you just received might not be a simple image. It could be an image that can hack your device and cause, for example, a data breach in your company. The risk is real because people usually don’t see dangers in common image files, such as jpg, gif, bmp and png, and cybercriminals know that. 

As you'll learn in this article, the fact is that, yes, there are different ways of using images to infect devices. So be careful when opening an email or viewing an image in your browser.


One of the most advanced technique of using images for dark purposes is called stegosploit. This is a method that consists of hiding malicious code or malware within image’s pixels.

The person who coined this concept was the security researcher Saumil Shah, in 2015. Shah demonstrated during a cybersecurity conference how a JavaScript could be concealed and then executed while an image is loading. He called the malicious code "IMAJS".

The script could execute malicious code, upload data, and download malicious attachments. What is the most striking is that the image has virtually no imperfections, which makes the attack difficult to be recognized by a person.

To summarize, Shah showed the world how a device can be hacked when an image is opened in a browser. As you can imagine, this technique presents a real danger for every user, and specially for companies.

Spam and image

Another trick used by criminals involves images and spam. In these cases, the image itself isn’t dangerous. It serves only as a bait to catch your attention. You’re then prompted to take an action, such as clicking a malicious link or downloading an infected file.

Remember: images can be embedded in emails, unlike, for example, a PDF file that needs to be attached. Therefore, you should redouble your attention with images. The good news is that, in general, email providers don’t display the images unless you allow it.

Double extension

This is an old trick too. A double extension happens when criminals try to fool people by playing with the names of the extensions. For example, a malicious file named example.jpg.exe could easily appear to the user just as example.jpg.

Certainly, many people wouldn't mind clicking on the file. In fact, they would only discover the problem later when their devices were already infected by malware or ransomware.