Monday, April 15, 2024

Janus Vulnerability – Hackers to Modify Android Apps Code Without Affecting Their Signatures

Janus Vulnerability, a new flaw discovered in Android apps that is capable of modifying the Android app’s code without making any alteration in their signatures.

This flaw leads to change the code in trusted Android applications and insert the malicious code on behalf then bypass the anti-malware protections.

This Janus Vulnerability allows an attacker to add the extra byte to the APK files and DEX files and APK file is a zip archive, which can contain arbitrary bytes at the start.

In this case, JAR signature only verifying the zip entries and it will not calculate the extra bytes when computing or verifying the application’s signature.

Also Read:  Keylogger Discovered in HP Notebook Keyboard Drivers

Another part of the Zipped package, DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions.


How Does Janus Vulnerability Works

Basically, Android installation runtime loads the APK then find and extract this DEX file and run the code.

According to guardsquare, In practice, the virtual machine can load and execute both APK files and DEX files. When it gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is. If it finds a DEX header, it loads the file as a DEX file. Otherwise, it loads the file as an APK file containing a zip entry with a DEX file. It can thus misinterpret dual DEX/APK files.

Attacker initially creates a  malicious DEX file to an APK file without affecting the signature and inject the code via DEX file.

During the version update of the particular targeted Android application accepts the APK file as a valid update of the legitimate earlier version of the app.

Android’s self Signed certification help to verifying the signature each and every time when user gets updates for the new version.

so old version always need to check it’s signature  and allow user to perform Android runtime compares its signature with the signature of the original version.

Once signature matches then it allows to proceeding the installation which is inherited from the old version.

Here attacker misleads the updating process using Janus vulnerability and abuse an updating process to inject the unverified code and make them install malicious code along with the legitimate application.

Replace the trusted application with high privileges leads to attacker can perform very dangerous activities and they can access sensitive information stored in the compromised application and even more many possibilities to steal banking related information.

“The zip file format is archaic and prone to problems like the Master Key vulnerability and this Janus vulnerability. Ambiguous zip files likely give rise to similar vulnerabilities in different contexts and on different systems.

The root cause is redundancy in the format. When designing data formats, protocols, data structures and code in general, one should always strive to avoid redundancy. Any discrepancies lead to bugs or worse.” guardsquare said.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2017-12-05 or later address all of these issues.


Latest articles

Hacker Customize LockBit 3.0 Ransomware to Attack Orgs Worldwide

Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent...

Microsoft .NET, .NET Framework, & Visual Studio Vulnerable To RCE Attacks

A new remote code execution vulnerability has been identified to be affecting multiple Microsoft...

LightSpy Hackers Indian Apple Device Users to Steal Sensitive Data

The revival of the LightSpy malware campaign has been observed, focusing on Indian Apple...

LightSpy Malware Attacking Android and iOS Users

A new malware known as LightSpy has been targeting Android and iOS users.This sophisticated...

This Startup Aims To Simplify End-to-End Cybersecurity, So Anyone Can Do It

The Web3 movement is going from strength to strength with every day that passes....

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles