Since Android is widely used on large number of devices, it makes it perfect for a potential target for malicious attackers. In the past few months, vulnerabilities in Google’s mobile operating system continue to be discovered. Recently, security researchers were able to discover another vulnerability which tricked Android users into allowing attackers to record their devices’ screens. Although this particular vulnerability was fixed in Android Oreo, analysts at GuardSquare reported as of late that there is another serious vulnerability found which affects Android apps signed by some older signature schemes. And now Google’s newly released December 2017 Android Security Bulletin contains a patch for this new Android vulnerability which allows attackers to bypass app signatures and inject some malicious code into the Android apps.
Dubbed as “Janus Vulnerability”, it resides in the mechanism Android operating system uses to read apps’ signatures. Based on GuardSquare’s report, the Janus vulnerability allows attackers to alter the code in application without necessarily affecting their app signatures. The report stated that the root of the vulnerability is that a file can be a valid APK file as well as a valid DEX file at the same time.
According to the researchers at GuardSquare , to verify a file’s integrity, the Android OS sparingly checks bytes at several locations. The bytes’ locations are different for both the APK and DEX files and the researchers were able to discover that they could easily inject a DEX file inside an APK and the Android OS would still think that it is reading the original APK file.
GuardSquare also pointed out that the key element of the Janus vulnerability is a “harmless” feature of the Dalvil/ART virtual machine. Based on the report, in theory, the Android runtime loads the APK file and extracts the DEX file then run its code. But in practice, what really happens is that the virtual machine or VM can load and execute of the APK and DEX files. The problem is that when the virtual machine gets an APK file, it could still looks at the magic bytes in the header determine which file is it – APK or DEX. It happens because the insertion process of DEX does not alter the bytes which Android checks for integrity and it also does not help that the app signature does not change as well.
Usually, the app’s signature is verified by Android runtime to make sure that it matches the older version every time users install an updated version of an app. The updated application gets the permission which had been granted to the original application if the verification is positive. This way, attackers can exploit the Janus vulnerability to bypass the verification process of the app signature and can get the unverified code installed on the Android devices.
What has security experts even worried is that the unverified code might obtain powerful permissions which raise some severe risks. According to GuardSquare:
“An attacker can replace a trusted application with high privileges (a system app, for instance) by a modified update to abuse its permissions. Depending on the targeted application, this could enable the hacker to access sensitive information stored on the device or even take over the device completely. Alternatively, an attacker can pass a modified clone of a sensitive application as a legitimate update [which] can look and behave like the original application but inject malicious behavior.”
GuardSquare also added that the Janus vulnerability only affects apps singed with the app signature scheme v1 – meaning to say, those apps singed with the signature scheme v2 are safe from this vulnerability. Moreover, it also only affects Android devices that are running Android 5.0 and older.