This article is more than 1 year old

Android flaw lets attack code slip into signed apps

Janus bug leaves APKs vulnerable to poisoning

Researchers say a recently patched vulnerability in Android could leave users vulnerable to attack from signed apps.

The vulnerability, dubbed Janus, would allow a malicious application to add bytes of code to the APK or DEX formats used by Android applications without affecting the application's signature. In other words, a scumbag could pack an app with malicious instructions, and still have it read by Android as a trusted piece of software.

The problem, say researchers with mobile security firm GuardSquare, lies in the way Android 5.0 and later handles the APK and DEX files for some applications. By only checking for certain bytes in an application's signature, the devices could read an altered signature as authentic and allow for malicious instructions to be inserted an APK or DEX file without being detected.

Eclipse photo via Shutterstock

Beware the IDEs of Android: three biggies have vulnerabilities


"An attacker can replace a trusted application with high privileges (a system app, for instance) by a modified update to abuse its permissions. Depending on the targeted application, this could enable the hacker to access sensitive information stored on the device or even take over the device completely," GuardSquare says.

"Alternatively, an attacker can pass a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications. The cloned application can look and behave like the original application but inject malicious behavior."

The vulnerability, CVE-2017-13156, was addressed in patch level 1 of the December Android update, so those who get their patches directly from Google should be protected. Unfortunately, due to the nature of the Android ecosystem, many vendors and carriers are slow to release fixes.

There are, however, some mitigating factors that can keep vulnerable machines protected. For starters, GuardSquare notes, the attack could not be performed through the Play Store, so apps obtained from that service should be safe. Additionally, version 2 of the Android APK performs a more thorough check of the signature that would catch the attack.

"Older versions of applications and newer applications running on older devices remain susceptible," the company said.

"Developers should at least always apply signature scheme v2." ®

More about


Send us news

Other stories you might like