If the user selects their 'secret image' from a known pool of images (as would probably be the case if this is at the OS-level), then the attacker just has to select one of those images (preferably a cute one) and then they know that at least some of the users they snag will have that as their security image.