Janus vulnerability

Google's December 2017 Android Security Bulletin contains a fix for a vulnerability that allows malicious actors to bypass app signatures and inject malicious code into Android apps.

Discovered by the research team at mobile security firm GuardSquare, the vulnerability resides in the mechanism Android OS uses to read application signatures.

Researchers inject malicious DEX inside APK file

GuardSquare researchers say that the Android OS sparingly checks bytes at various locations to verify a file's integrity.

The location of these bytes are different for APK and DEX files, and researchers discovered that they could inject a DEX file inside an APK and the Android OS would still think it's reading the original APK file.

This happens because the DEX insertion process does not alter the bytes Android checks for integrity, and the file's signature never changes.

Perfect attack for malware distribution

In real-life scenarios, this vulnerability —which GuardSquare named Janus after the Roman god of duality— allows an attacker to inject malicious DEX files inside a valid Android app update (APK file).

Furthermore, because the updated application inherits the permissions of the original application, malware delivered through this method can easily obtain very intrusive access rights by exploiting apps users normally consider safe.

The only downside of a Janus attack is that it cannot be performed by hosting malicious updates on the official Play Store, and attackers must lure users on third-party app stores and trick them into installing updates for legitimate apps.

According to GuardSquare, the Janus vulnerability affects only apps signed with the app signature scheme v1. Apps signed with the signature scheme v2 are not affected.

In addition, Janus only affects devices running Android 5.0 and later. An Android update that patches phones against Janus is available for owners of Google smartphones. The rest of the Android pleb is at the mercy of mobile carriers.