Janus Vulnerability Allows Attackers to Modify Apps without Affecting their Signatures
Android is installed on a huge large number of devices, and that makes it a target for malicious attackers. Vulnerabilities in Google’s mobile operating system continue to be discovered every month, but the good news is that Google is usually diligent about fixing them in regular security patches which are then offered to OEMs, who then ship it to devices.
Recently, security researchers uncovered a vulnerability which tricked users into allowing attackers to record their device’s screen. That particular exploit was fixed in Android Oreo, but analysts at GuardSquare recently reported another serious vulnerability which affects Android apps signed by an older signature schemes.
GuardSquare‘s report states that the Janus vulnerability (CVE-2017-13156) in Android allows attackers to modify the code in applications without affecting their signatures. The report goes onto say that the root of the vulnerability is that a file can be a valid APK file and a valid DEX file at the same time.
Janus takes advantage of the fact that extra bytes go unnoticed in APK files and DEX files. The GuardSquare report explains that an APK file is a ZIP archive which can contain arbitrary bytes at the start, before and between its ZIP entries. The JAR signature scheme only takes into account the ZIP entries, ignoring any extra bytes when computing or verifying the application’s signature.
It goes on to explain that a DEX file, on the other hand, can contain arbitrary bytes at the end – after the regular sections of strings, classes, method definitions, etc. Therefore, a file can be a valid APK file and a valid DEX file at the same time.
GuardSquare also mentions that a key element of the vulnerability is a “harmless” feature of the Dalvik/ART virtual machine. The report states that in theory, the Android runtime loads the APK file, extracts its DEX file and then runs its code. However, in practice, the virtual machine (VM) can load and execute both APK files and DEX files. The issue is that when the VM gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is: DEX or APK. On finding a DEX header, it loads the file as a DEX file. If it doesn’t find a header, it loads the file as an APK file containing a zip entry with a DEX file. Thus, it can misinterpret dual DEX/APK files.
GuardSquare says that an attacker can leverage this duality feature of the VM to add a malicious DEX file to a normal APK file without affecting its signature. The Android runtime will accept the APK file as a valid update to a legitimate earlier app version, but the Dalvik VM will load the code from the DEX file, which has been injected with malicious code.
Normally, whenever a user installs an updated version of an app, the app’s signature is verified by the Android runtime to ensure that it matches the older version. When the verification is positive, the updated application gets the permissions which had been granted to the original application. In this way, attackers can use the Janus vulnerability to bypass the signature verification process and get unverified code installed on the devices of unsuspecting users.
What’s even worse is that this unverified code may get access to powerful permissions. This gives rise to some severe possibilities. GuardSquare states:
“An attacker can replace a trusted application with high privileges (a system app, for instance) by a modified update to abuse its permissions. Depending on the targeted application, this could enable the hacker to access sensitive information stored on the device or even take over the device completely. Alternatively, an attacker can pass a modified clone of a sensitive application as a legitimate update [which] can look and behave like the original application but inject malicious behavior.”
The company added that as of now, they hadn’t seen any applications exploiting Janus in the wild. The other bit of good news is the vulnerability requires a user to install a malicious update from a source outside the Google Play Store. Therefore, users who limit app installs to the Play Store are protected.
The Janus vulnerability affects devices running Android 5.0+. Applications that have been signed with APK signature scheme v1 are affected. APKs signed with signature scheme v2 are protected against the vulnerability. This requires that the APKs are running on devices supporting the latest signature scheme (Android 7.0 and newer). Scheme v2 is protected because unlike scheme v1, it considers all bytes in the APK file.
“Older versions of applications and newer applications running on older devices remain susceptible. Developers should at least always apply signature scheme v2,” GuardSquare states.
GuardSquare reported this issue to Google on July 31, 2017, and received acknowledgment on the same day. The company’s report says that Google released a patch to its partners in November, and published the bug (CVE-2017-13156) in the Android Security Bulletin on December 4, 2017. The vulnerability has been fixed in the December 2017 Android security patch. Separately, F-Droid applications from their official repository have been confirmed to be safe. Lastly, it has been confirmed that the vulnerability has been patched on APKMirror.