Android Vulnerability Allows Hackers to Inject Malware into Apps Without Modifying Signatures

A newly uncovered vulnerability dubbed “Janus” poses a significant threat to millions of Android devices, allowing attackers to overwrite legitimate applications with harmful malware without altering their signature verification. This critical flaw enables malicious updates to be distributed that maintain the appearance and functionality of the original applications.

The vulnerability, classified as CVE-2017-13156, was identified by researchers from the mobile security firm GuardSquare and reported to Google earlier this summer. Following a comprehensive review, Google has patched this flaw as part of its December Android Security Bulletin, which included updates for numerous vulnerabilities affecting the platform.

Despite Google’s mitigation efforts, there is a concerning delay in patch deployment for many users, as device manufacturers (OEMs) may take several months to roll out the necessary updates. This lag leaves a vast number of Android users exposed to potential exploitation. The Janus vulnerability specifically impacts applications using APK signature scheme v1 on Android versions 5 (Lollipop) and 6 (Marshmallow).

The mechanism of the Janus vulnerability lies in the handling of APK installations, allowing an attacker to append additional code to the APK file without affecting its signature validity. APK files function similarly to ZIP files, encapsulating application code, resources, and signatures within a single archive. When a user installs or updates an app, Android verifies the APK’s header to check for valid signatures and DEX files.

What makes Janus particularly insidious is that legitimate and malicious code can coexist within the same APK, eluding detection during the installation process. This means attackers can inject harmful code alongside the original application code without compromising the app’s integrity or validation checks.

Hackers can exploit this vulnerability through various channels, including spam emails, third-party app stores, and man-in-the-middle attacks. Researchers highlight that users may easily be misled by malicious versions of legitimate applications identical to the originals in look and signature. Notably, man-in-the-middle attacks present an opportunity for attackers to inject harmful updates through unencrypted HTTP connections.

GuardSquare emphasizes that during an app update, Android compares the signatures, allowing for the installation of the malicious code if it matches the original. Consequently, the updated application inherits the permission levels of the original, providing attackers with a route to deploy unverified code with extensive permissions onto user devices without raising alarms.

Importantly, this vulnerability does not impact Android 7 (Nougat) and later versions that utilize APK signature scheme v2. Users with older Android devices are urged to update their operating systems where possible. For those whose OEMs do not provide timely security patches, it is advisable to limit application installations and updates to trusted sources such as the Google Play Store.

To mitigate future risks, Android developers are encouraged to adopt signature scheme v2, thereby reinforcing their applications’ defenses against tampering. As always, vigilance is paramount when downloading apps and updates, with users advised to inspect the sources of their applications keenly.

In conclusion, the Janus vulnerability serves as a stark reminder of the ongoing cybersecurity challenges faced by Android users, emphasizing the need for proactive measures in app security and user awareness to minimize the risk of exploitation.