Dubbed Janus, the vulnerability allows attackers to alter the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks together with industrial plant same every bit the master copy apps.
The vulnerability (CVE-2017-13156) was discovered together with reported to Google yesteryear safety researchers from mobile safety theater GuardSquare this summertime together with has been patched yesteryear Google, amid 4 dozen vulnerabilities, every bit business office of its Dec Android Security Bulletin.
However, the worrisome business office is that bulk of Android users would non have these patches for adjacent few month, until their device manufacturers (OEMs) unloosen custom updates for them, evidently leaving a large release of smartphone users vulnerable to hackers.
The vulnerability affects apps using APK signature system v1 installed on devices running Android versions v (Lollipop) together with vi (Marshmallow).
Explained: How Android Janus Vulnerability Works?
Before proceeding further, y'all take away to know approximately basics almost an APK file.
Influenza A virus subtype H5N1 valid APK file is a type of archive file, just similar Zip, which includes application code, resources, assets, signatures, certificates, together with manifest file.
Earlier versions of Android operating organisation 5.0 (Lollipop) together with 6.0 (Marshmallow) also back upwardly a procedure virtual car that helps to execute APK archives containing a compiled version of application code together with files, compressed amongst DEX (Dalvik EXecutable) file format.
While installing an Android app or its update, your device checks APK header information to create upwardly one's heed if the archive contains code inward the compressed DEX files.
If header says APK archive contains DEX files, the procedure virtual car decompiles the code accordingly together with executes it; otherwise, it runs the code every bit a regular APK file.
It turns out that an APK archive tin comprise DEX files every bit good every bit regular application code simultaneously, without affecting its validity together with signatures.
Researchers uncovering that this mightiness to add together extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled inward DEX format into an APK archive containing legitimate code amongst valid signatures, eventually tricking app installation procedure to execute both code on the targeted device without beingness detected.
In other words, the hack doesn't require attackers to alter the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to only add together approximately extra malicious lines of code to the master copy app.
Attack Scenarios
After creating malicious but valid versions of legitimate applications, hackers tin distribute them using diverse laid upwardly on vectors, including spam emails, third-party app stores delivering mistaken apps together with updates, social engineering, together with fifty-fifty man-in-the-middle attacks.
According to the researchers, it may hold upwardly "relatively slowly to fob approximately users because the application tin all the same expect just similar the master copy application together with has the proper signature."
I uncovering man-in-the-middle laid upwardly on to a greater extent than interesting, every bit it could allow hackers to force malicious installation for the apps designed to have its updates over an unencrypted HTTP connection.
"When the user downloads an update of an application, the Android runtime compares its signature amongst the signature of the master copy version. If the signatures match, the Android runtime proceeds to install the update," GuardSquare explains.
"The updated application inherits the permissions of the master copy application. Attackers can, therefore, purpose the Janus vulnerability to mislead the update procedure together with give-up the ghost an unverified code amongst powerful permissions installed on the devices of unsuspecting users."
"For experts, the mutual contrary applied scientific discipline tools practice non present the injected code. Users should ever hold upwardly vigilant when downloading applications together with updates," the safety theater added.Since this vulnerability does non touching on Android seven (Nougat) together with latest, which supports APK signature system version 2, users running older Android versions are highly recommended to upgrade their device OS (if available).
It's unfortunate, but if your device manufacturer neither offers safety patches nor the latest Android version, together with so y'all should non install apps together with updates from exterior of Google Play Store to minimise the take away chances of beingness hacked.
Researchers also advised Android developers ever to apply signature system v2 inward gild to ensure their apps cannot hold upwardly tampered with.
