Dubbed Janus, the vulnerability allows attackers to alter the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks as well as industrial plant same every bit the master apps.
The vulnerability (CVE-2017-13156) was discovered as well as reported to Google past times safety researchers from mobile safety theater GuardSquare this summertime as well as has been patched past times Google, amid iv dozen vulnerabilities, every bit business office of its Dec Android Security Bulletin.
However, the worrisome business office is that bulk of Android users would non have these patches for side past times side few month, until their device manufacturers (OEMs) liberate custom updates for them, patently leaving a large bring out of smartphone users vulnerable to hackers.
The vulnerability affects apps using APK signature system v1 installed on devices running Android versions five (Lollipop) as well as six (Marshmallow).
Explained: How Android Janus Vulnerability Works?
Before proceeding further, yous necessitate to know around basics well-nigh an APK file.
H5N1 valid APK file is a type of archive file, just similar Zip, which includes application code, resources, assets, signatures, certificates, as well as manifest file.
Earlier versions of Android operating organisation 5.0 (Lollipop) as well as 6.0 (Marshmallow) also back upward a procedure virtual auto that helps to execute APK archives containing a compiled version of application code as well as files, compressed amongst DEX (Dalvik EXecutable) file format.
While installing an Android app or its update, your device checks APK header information to create upward one's hear if the archive contains code inwards the compressed DEX files.
If header says APK archive contains DEX files, the procedure virtual auto decompiles the code accordingly as well as executes it; otherwise, it runs the code every bit a regular APK file.
It turns out that an APK archive tin comprise DEX files every bit good every bit regular application code simultaneously, without affecting its validity as well as signatures.
Researchers discovery that this might to add together extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled inwards DEX format into an APK archive containing legitimate code amongst valid signatures, eventually tricking app installation procedure to execute both code on the targeted device without beingness detected.
In other words, the hack doesn't require attackers to alter the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to just add together around extra malicious lines of code to the master app.
Attack Scenarios
After creating malicious but valid versions of legitimate applications, hackers tin distribute them using diverse assault vectors, including spam emails, third-party app stores delivering faux apps as well as updates, social engineering, as well as fifty-fifty man-in-the-middle attacks.
According to the researchers, it may live on "relatively slow to line a fast ane on around users because the application tin yet hold back just similar the master application as well as has the proper signature."
I discovery man-in-the-middle assault to a greater extent than interesting, every bit it could allow hackers to force malicious installation for the apps designed to have its updates over an unencrypted HTTP connection.
"When the user downloads an update of an application, the Android runtime compares its signature amongst the signature of the master version. If the signatures match, the Android runtime proceeds to install the update," GuardSquare explains.
"The updated application inherits the permissions of the master application. Attackers can, therefore, purpose the Janus vulnerability to mislead the update procedure as well as conk an unverified code amongst powerful permissions installed on the devices of unsuspecting users."
"For experts, the mutual contrary technology scientific discipline tools exercise non present the injected code. Users should ever live on vigilant when downloading applications as well as updates," the safety theater added.Since this vulnerability does non comport upon Android vii (Nougat) as well as latest, which supports APK signature system version 2, users running older Android versions are highly recommended to upgrade their device OS (if available).
It's unfortunate, but if your device manufacturer neither offers safety patches nor the latest Android version, as well as so yous should non install apps as well as updates from exterior of Google Play Store to minimise the jeopardy of beingness hacked.
Researchers also advised Android developers ever to apply signature system v2 inwards social club to ensure their apps cannot live on tampered with.
Share This :
comment 0 Comments
more_vert