One of the vulnerabilities patched by Google as part of the December 2017 Android security patches is a High severity bug that could result in tampering with applications’ code without altering their signature.
Discovered by GuardSquare security researchers and tracked as CVE-2017-13156, the security flaw is created by the fact that “a file can be a valid APK file and a valid DEX file at the same time.” Because of that, the researchers called the bug the Janus vulnerability (after the Roman god of duality).
The issue, the researchers say, is that extra bytes can be added to APK files and to DEX files. As ZIP archives, APK files can contain arbitrary bytes at the start, between its ZIP entries, which are the only ones the JAR signature scheme takes into account when verifying the application’s signature (any extra bytes are ignored). DEX files, on the other hand, can contain arbitrary bytes at the end.
Another issue is that the Dalvik/ART virtual machine can load and execute both APK and DEX files. In theory, it loads the APK then extracts the DEX and runs it. In practice, it looks at the file’s header and, depending on how it interprets the information there, loads the APK either as a DEX file or as an APK file containing a ZIP entry with a DEX file.
“An attacker can leverage this duality. He can prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime then accepts the APK file as a valid update of a legitimate earlier version of the app. However, the Dalvik VM loads the code from the injected DEX file,” the security researchers explain.
By exploiting the vulnerability, an attacker could have malicious code running on an Android device with the same permissions as the targeted application, provided they trick the user into downloading and installing a fake update.
“An attacker can replace a trusted application with high privileges (a system app, for instance) by a modified update to abuse its permissions. Depending on the targeted application, this could enable the hacker to access sensitive information stored on the device or even take over the device completely,” the security researchers note.
An attacker could clone sensitive applications (such as banking or messaging apps) and deliver them as fake updates of legitimate software. Thus, the cloned application could look and behave the same as the original but inject malicious behavior.
Attack scenarios would require for the user to accept the malicious update from a source outside Google Play, which would prove relatively easy to pull off in some cases, considering that the application would still look exactly like the original.
The Janus vulnerability was found in Android 5.0 and newer. Applications signed with APK signature scheme v2 and running on Android 7.0 and newer platforms, which support the latest signature scheme, are protected. Apps using DexGuard’s tamper detection mechanism are better hardened against the attack.
“Unlike scheme v1, this scheme v2 considers all bytes in the APK file. Older versions of applications and newer applications running on older devices remain susceptible. Developers should at least always apply signature scheme v2,” GuardSquare says.
Google was informed on the vulnerability on July 31, 2017, but only released a patch to its partners in November. A fix was included in the Android Security Bulletin released on December 4, 2017.