Hacking

Android Janus vulnerability allows attackers to inject Malware into legitimate apps avoiding detection

Google fixed a bug dubbed Janus that could be exploited by attackers to inject malicious code into Android apps without affecting an app’s signature.

Google fixed four dozen vulnerabilities this week, including a bug dubbed Janus that could be exploited by attackers to inject malicious code into Android apps without affecting an app’s signature verification certificates.

Millions of Android devices are at risk of a cyber attack due to this flaw (CVE-2017-13156), that allows attackers to secretly overwrite legitimate applications installed on victims’ mobile devices with a malware.

The vulnerability was reported to Google by security researchers from mobile security firm GuardSquare this summer and has been fixed now as part of the December Android Security Bulletin.

The attack technique discovered by Guardsquare allows by bypass anti-malware protection mechanisms and escalate privileges on targeted devices using signed apps that appear to be from trusted publishers.

“A serious vulnerability (CVE-2017-13156) in Android allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. We have named it the Janus vulnerability, after the Roman god of duality.” states the analysis published by Guardsquare.

The vulnerability affects in the way Android handles APK installation for some apps, allowing to add extra bytes of code to an APK file without modifying the app’s signature.

An APK file is an archive, just like Zip, that includes application code, resources, assets, signatures, certificates, and manifest file.

Earlier versions of Android (5.0 Lollipop and Marshmallow 6.0) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.

While installing an app, the OS checks APK header information to determine if the archive contains code in the compressed DEX files. If the APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.

It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.Researchers discovered that it is possible to add extra bytes of code to the archive due to lack of file integrity checking.

“The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries). The JAR signature scheme only takes into account the zip entries. It ignores any extra bytes when computing or verifying the application’s signature.” continue the analysis.

“On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc. A file can, therefore, be a valid APK file and a valid DEX file at the same time.”

Attackers can prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, tricking app installation process to execute both codes on the device avoid detection.

The researchers developed a simple tool to create Janus applications as a proof of concept, the good news is that according to the experts, at this time, there are similar applications in the wild.

The Janus tool allows an attacker to inject an APK file with a malicious DEX (Dalvik Executable) file. DEX files make up the code inside Android programs that are zipped into single APKs.

The researchers described also possible attack scenarios, for example, an attacker can replace a trusted application with high privileges (i.e. a system app) by a modified update to abuse its permissions. Another attack scenario sees a hacker passing a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications.

Android versions older than Nougat (7.0) and any Android devices that support the APK signature scheme v1 are affected by the Janus vulnerability.

The Android devices updated to support APK signature scheme v2, introduced in July 2016, are not impacted.

Unfortunately, most of Android users would not receive these patches for the next month, until their device manufacturers (OEMs) release custom updates for them.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Janus vulnerability, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

1 hour ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

8 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

19 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

23 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.