The Belgian firm GuardSquare has published a report on a vulnerability (CVE-2017-13156) discovered in Android, nicknamed Janus. The vulnerability allows attackers to modify application code without affecting the signature.
When developing an Android application, it requires specialists to sign their product . During the update, the system compares the signature of the APK file with the existing version and, if there is a match, the application is compiled into a DEX file to run on the device. The root of the problem is that the vulnerability is related to the ability to add extra bytes to APK and DEX files. The APK file is a zip archive that allows you to contain some arbitrary bytes at the beginning before the zip entries. During signing, the JAR ignores any additional bytes other than the zip entries needed to verify the application's signature. In turn, the DEX file contains arbitrary bytes at the end. Thus, Janus combines an unmodified APK file with a modified DEX executable that does not affect the application signature. In this case, the Android system will allow you to install and then run the code from the DEX header. At the same time, attackers have the opportunity to manage permissions and replace the application during the next update.
Janus will only be able to harm applications that are signed using a JAR-based method (Android 5.0 and higher). Starting with Android 7.0 Nougat, the JAR signature method was replaced by APK Signature Scheme v2, which provides protection for subsequent versions.
GO TO FULL VERSION