Among the many Android vulnerabilities patched by Google this December is one that allows attackers to modify apps without affecting their signatures.
“Although Android applications are self-signed, signature verification is important when updating Android applications. When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update,” Guard Square researchers explained.
“The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get unverified code with powerful permissions installed on the devices of unsuspecting users.”
The vulnerability (CVE-2017-13156) can be exploited to replace any kind of app, even a system app, without the user noticing anything or Android preventing the installation.
The root of the vulnerability
The problem stems from the fact that a file can be a valid APK file (a zip archive that can contain arbitrary bytes at the start) and a valid DEX file (which can contain arbitrary bytes at the end) at the same time.
“[An attacker] can prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime then accepts the APK file as a valid update of a legitimate earlier version of the app. However, the Dalvik VM loads the code from the injected DEX file,” the researchers noted.
The vulnerability affects devices running Android 5.0 (“Lollipop”) and newer versions of the OS.
The vulnerability has been patched by Google, and the patch released to partners in November.
Users of Google smartphones (Pixel and Nexus) are protected right away, but those who depend on security updates being pushed out by other vendors and carriers are vulnerable until the patches are provided by the latter.
The good news
The good news is that there is no indication that the vulnerability is being exploited in the wild. Also, according to the researchers, if you download apps directly from Google Play you should be safe.
“Applications that have been signed with APK signature scheme v2 and that are running on devices supporting the latest signature scheme (Android 7.0 and newer) are protected against the vulnerability,” the researchers noted.
“Unlike scheme v1, this scheme v2 considers all bytes in the APK file. Older versions of applications and newer applications running on older devices remain susceptible. Developers should at least always apply signature scheme v2.”