Millions of Android devices are at serious risk of a newly disclosed critical vulnerability which allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions.
Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks as well as also also works same as the original apps.
The vulnerability (CVE-2017-13156) was discovered as well as also also reported to Google by security researchers coming from mobile security firm GuardSquare This particular summer as well as also also has been patched by Google, among four dozen vulnerabilities, as part of its December Android Security Bulletin.
However, the worrisome part is usually which majority of Android users might not receive these patches for next few month, until their device manufacturers (OEMs) Discharge custom updates for them, apparently leaving a large number of smartphone users vulnerable to hackers.
The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 (Lollipop) as well as also also 6 (Marshmallow).
Explained: How Android Janus Vulnerability Works?
The vulnerability resides from the way Android handles APK installation for some apps, leaving a possibility to add extra bytes of code to an APK file without affecting the application’s signature.
Before proceeding further, you need to know some basics about an APK file.
A valid APK file is usually a type of archive file, just like Zip, which includes application code, resources, assets, signatures, certificates, as well as also also manifest file.
Earlier versions of Android operating system 5.0 (Lollipop) as well as also also 6.0 (Marshmallow) also support a process virtual machine which helps to execute APK archives containing a compiled edition of application code as well as also also files, compressed with DEX (Dalvik EXecutable) file format.
While installing an Android app or its update, your device checks APK header information to determine if the archive contains code from the compressed DEX files.
If header says APK archive contains DEX files, the process virtual machine decompiles the code accordingly as well as also also executes This particular; otherwise, This particular runs the code as a regular APK file.
This particular turns out which an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity as well as also also signatures.
Researchers find which This particular ability to add extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, eventually tricking app installation process to execute both code on the targeted device without being detected.
In some other words, the hack doesn’t require attackers to modify the code of legitimate applications (which makes signatures invalid)—instead, the vulnerability allows malware authors to merely add some extra malicious lines of code to the original app.
After creating malicious yet valid versions of legitimate applications, hackers can distribute them using various attack vectors, including spam emails, third-party app stores delivering fake apps as well as also also updates, social engineering, as well as also also even man-in-the-middle attacks.
According to the researchers, This particular may be “relatively easy to trick some users because the application can still look exactly like the original application as well as also also has the proper signature.”
I find man-in-the-middle attack more interesting, as This particular could allow hackers to push malicious installation for the apps designed to receive its updates over an unencrypted HTTP connection.
“When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original edition. If the signatures match, the Android runtime proceeds to install the update,” GuardSquare explains.
“The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process as well as also also get an unverified code with powerful permissions installed on the devices of unsuspecting users.”
“For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications as well as also also updates,” the security firm added.
Since This particular vulnerability does not affect Android 7 (Nougat) as well as also also latest, which supports APK signature scheme edition 2, users running older Android versions are highly recommended to upgrade their device OS (if available).
This particular’s unfortunate, yet if your device a new neither offers security patches nor the latest Android edition, then you should not install apps as well as also also updates coming from outside of Google Play Store to minimise the risk of being hacked.
Researchers also advised Android developers always to apply signature scheme v2 in order to ensure their apps cannot be tampered with.