A recently patched Android bug dubbed “Janus” allows an attacker to distribute their own updates for the legitimate apps which look and work same as the original apps but allow the attacker to carry out their own malicious behavior in the background.
The vulnerability, (CVE-2017-13156) affects Android 5.0 devices and newer while applications that have been signed with APK signature scheme v2 and that are running on devices supporting the latest signature scheme (Android 7.0 and newer) are protected, GuardSquare researchers who discovered the flaw said in a blog post.
Janus allows attackers to secretly modify the code of Android applications installed on a user’s smartphone using their malicious versions without affecting the application’s verification signatures. The problem stems from the fact that the platform allows a file to be a valid APK file and a valid DEX file at the same time. The name Janus references the name of the Roman god of duality.
“When designing data formats, protocols, data structures and code in general, one should always strive to avoid redundancy,” researchers said in the post. “Any discrepancies lead to bugs or worse.”
On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries while on the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc.
An attacker can leverage the duality by prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime will then accept the APK file as a valid update of a legitimate earlier version of the app however, the Dalvik VM loads the code from the injected DEX file, researchers said in the post.
An attacker exploiting the flaw could replace a trusted application that already has high privileges, such as a system app, with one of their updates to abuse the permissions that have already been granted. This could enable the attack to access sensitive information stored in the devices or enable the attacker to seize control over the device completely.
In another scenario, the attacker could pass a modified clone of a sensitive application off as a legitimate update such as a banking or communications application and use the clone to look and behave like the original application but inject malicious behavior.
Fortunately the attack is still just a proof of concept and was reported to Google on July 31, 2017 and published in the Android Security Bulletin on December 4, 2017.
“Any scenario still requires the user to install the malicious update from a source outside the Google Play store,” researchers said. “It may be relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature.”
Rusty Carter, VP of product management at Arxan told SC media the vulnerability is significantly different as it would allow an attacker to augment or inject code into an application on a non- rooted device without disrupting the application’s signature.
“This example is evidence that these vulnerabilities DO exist and without protection, app users, creators and owners run the risk of an attacker finding that next 0-day,” Carter said. “As such, organizations with apps must be sure they are implementing anti-tamper technology within their apps.”
Users are encouraged to update as soon as possible if they already haven’t.