Google fixed four dozen vulnerabilities this week, including a bug dubbed Janus that could be exploited by attackers to inject malicious code into Android apps without affecting an app’s signature verification certificates.
Millions of Android devices are at risk of a cyber attack due to this flaw (CVE-2017-13156), that allows attackers to secretly overwrite legitimate applications installed on victims’ mobile devices with a malware.
The vulnerability was reported to Google by security researchers from mobile security firm GuardSquare this summer and has been fixed now as part of the December Android Security Bulletin.
The attack technique discovered by Guardsquare allows by bypass anti-malware protection mechanisms and escalate privileges on targeted devices using signed apps that appear to be from trusted publishers.
“A serious vulnerability (CVE-2017-13156) in Android allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. We have named it the Janus vulnerability, after the Roman god of duality.” states the analysis published by Guardsquare.
The vulnerability affects in the way Android handles APK installation for some apps, allowing to add extra bytes of code to an APK file without modifying the app’s signature.
An APK file is an archive, just like Zip, that includes application code, resources, assets, signatures, certificates, and manifest file.
Earlier versions of Android (5.0 Lollipop and Marshmallow 6.0) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.
While installing an app, the OS checks APK header information to determine if the archive contains code in the compressed DEX files. If the APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.
It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.Researchers discovered that it is possible to add extra bytes of code to the archive due to lack of file integrity checking.
“The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries). The JAR signature scheme only takes into account the zip entries. It ignores any extra bytes when computing or verifying the application’s signature.” continue the analysis.
“On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc. A file can, therefore, be a valid APK file and a valid DEX file at the same time.”
Attackers can prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, tricking app installation process to execute both codes on the device avoid detection.
The researchers developed a simple tool to create Janus applications as a proof of concept, the good news is that according to the experts, at this time, there are similar applications in the wild.
The Janus tool allows an attacker to inject an APK file with a malicious DEX (Dalvik Executable) file. DEX files make up the code inside Android programs that are zipped into single APKs.
The researchers described also possible attack scenarios, for example, an attacker can replace a trusted application with high privileges (i.e. a system app) by a modified update to abuse its permissions. Another attack scenario sees a hacker passing a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications.
Android versions older than Nougat (7.0) and any Android devices that support the APK signature scheme v1 are affected by the Janus vulnerability.
The Android devices updated to support APK signature scheme v2, introduced in July 2016, are not impacted.
Unfortunately, most of Android users would not receive these patches for the next month, until their device manufacturers (OEMs) release custom updates for them.
(Security Affairs – Janus vulnerability, Android)