Janus Vulnerability, a new flaw discovered in Android apps that is capable of modifying the Android app’s code without making any alteration in their signatures.
This flaw leads to change the code in trusted Android applications and insert the malicious code on behalf then bypass the anti-malware protections.
This Janus Vulnerability allows an attacker to add the extra byte to the APK files and DEX files and APK file is a zip archive, which can contain arbitrary bytes at the start.
In this case, JAR signature only verifying the zip entries and it will not calculate the extra bytes when computing or verifying the application’s signature.
Another part of the Zipped package, DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions.
Also Read: ANDROID PENTESTING
How Does Janus Vulnerability Works
Basically, Android installation runtime loads the APK then find and extract this DEX file and run the code.
According to guardsquare, In practice, the virtual machine can load and execute both APK files and DEX files. When it gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is. If it finds a DEX header, it loads the file as a DEX file. Otherwise, it loads the file as an APK file containing a zip entry with a DEX file. It can thus misinterpret dual DEX/APK files.
Attacker initially creates a malicious DEX file to an APK file without affecting the signature and inject the code via DEX file.
During the version update of the particular targeted Android application accepts the APK file as a valid update of the legitimate earlier version of the app.
Android’s self Signed certification help to verifying the signature each and every time when user gets updates for the new version.
so old version always need to check it’s signature and allow user to perform Android runtime compares its signature with the signature of the original version.
Once signature matches then it allows to proceeding the installation which is inherited from the old version.
Here attacker misleads the updating process using Janus vulnerability and abuse an updating process to inject the unverified code and make them install malicious code along with the legitimate application.
Replace the trusted application with high privileges leads to attacker can perform very dangerous activities and they can access sensitive information stored in the compromised application and even more many possibilities to steal banking related information.
“The zip file format is archaic and prone to problems like the Master Key vulnerability and this Janus vulnerability. Ambiguous zip files likely give rise to similar vulnerabilities in different contexts and on different systems.
The root cause is redundancy in the format. When designing data formats, protocols, data structures and code in general, one should always strive to avoid redundancy. Any discrepancies lead to bugs or worse.” guardsquare said.
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2017-12-05 or later address all of these issues.