Saturday, December 14, 2024
HomeCVE/vulnerabilityJanus Vulnerability - Hackers to Modify Android Apps Code Without Affecting Their...

Janus Vulnerability – Hackers to Modify Android Apps Code Without Affecting Their Signatures

Published on

SIEM as a Service

Janus Vulnerability, a new flaw discovered in Android apps that is capable of modifying the Android app’s code without making any alteration in their signatures.

This flaw leads to change the code in trusted Android applications and insert the malicious code on behalf then bypass the anti-malware protections.

This Janus Vulnerability allows an attacker to add the extra byte to the APK files and DEX files and APK file is a zip archive, which can contain arbitrary bytes at the start.

- Advertisement - SIEM as a Service

In this case, JAR signature only verifying the zip entries and it will not calculate the extra bytes when computing or verifying the application’s signature.

Also Read:  Keylogger Discovered in HP Notebook Keyboard Drivers

Another part of the Zipped package, DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions.

Also Read:  ANDROID PENTESTING

How Does Janus Vulnerability Works

Basically, Android installation runtime loads the APK then find and extract this DEX file and run the code.

According to guardsquare, In practice, the virtual machine can load and execute both APK files and DEX files. When it gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is. If it finds a DEX header, it loads the file as a DEX file. Otherwise, it loads the file as an APK file containing a zip entry with a DEX file. It can thus misinterpret dual DEX/APK files.

Attacker initially creates a  malicious DEX file to an APK file without affecting the signature and inject the code via DEX file.

During the version update of the particular targeted Android application accepts the APK file as a valid update of the legitimate earlier version of the app.

Android’s self Signed certification help to verifying the signature each and every time when user gets updates for the new version.

so old version always need to check it’s signature  and allow user to perform Android runtime compares its signature with the signature of the original version.

Once signature matches then it allows to proceeding the installation which is inherited from the old version.

Here attacker misleads the updating process using Janus vulnerability and abuse an updating process to inject the unverified code and make them install malicious code along with the legitimate application.

Replace the trusted application with high privileges leads to attacker can perform very dangerous activities and they can access sensitive information stored in the compromised application and even more many possibilities to steal banking related information.

“The zip file format is archaic and prone to problems like the Master Key vulnerability and this Janus vulnerability. Ambiguous zip files likely give rise to similar vulnerabilities in different contexts and on different systems.

The root cause is redundancy in the format. When designing data formats, protocols, data structures and code in general, one should always strive to avoid redundancy. Any discrepancies lead to bugs or worse.” guardsquare said.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2017-12-05 or later address all of these issues.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...