An Android vulnerability has been uncovered that allows attackers to modify apps in an undetected way, without affecting their signatures.
The flaw (CVE-2017-13156) allows a file to be a valid APK file and a valid DEX file at the same time, according to Guard Square, which has named it the Janus vulnerability, after the Roman god of duality.
“In theory, the Android runtime loads the APK file, extracts its DEX file and then runs its code,” said researchers, in an analysis. “In practice, the virtual machine can load and execute both APK files and DEX files. When it gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is. If it finds a DEX header, it loads the file as a DEX file. Otherwise, it loads the file as an APK file containing a zip entry with a DEX file. It can thus misinterpret dual DEX/APK files.”
When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update. Nefarious types can leverage the Janus issue to prepend a malicious DEX file to an APK file, so that Android will accept the APK file as a valid update of a legitimate earlier version of an app. However, the code is loaded from the injected DEX file.
“The updated application inherits the permissions of the original application,” the researchers said. “Attackers can, therefore, use the Janus vulnerability to mislead the update process and get unverified code with powerful permissions installed on the devices of unsuspecting users.”
Depending on the targeted application, a hacker can access sensitive information stored on the device or take over the device completely. Alternatively, an attacker can pass a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications. The cloned application can look and behave like the original application but inject malicious behavior.
“Any scenario still requires the user to install the malicious update from a source outside the Google Play store,” the researchers said. “It may be relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature. For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications and updates.”
The Janus vulnerability affects recent Android devices (Android 5.0 and newer). Google has released a patch to its OEM partners.