Android Vulnerability Lets Malware Bypass App Signatures (affects Android 5.0 and later)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Google's December 2017 Android Security Bulletin contains a fix for a vulnerability that allows malicious actors to bypass app signatures and inject malicious code into Android apps.
Discovered by the research team at mobile security firm GuardSquare, the vulnerability resides in the mechanism Android OS uses to read application signatures.

Researchers inject malicious DEX inside APK file
GuardSquare researchers say that the Android OS sparingly checks bytes at various locations to verify a file's integrity.
The location of these bytes are different for APK and DEX files, and researchers discovered that they could inject a DEX file inside an APK and the Android OS would still think it's reading the original APK file.
This happens because the DEX insertion process does not alter the bytes Android checks for integrity, and the file's signature never changes.
Click to expand...

Perfect attack for malware distribution

In real-life scenarios, this vulnerability —which GuardSquare named Janus after the Roman god of duality— allows an attacker to inject malicious DEX files inside a valid Android app update (APK file).

Furthermore, because the updated application inherits the permissions of the original application, malware delivered through this method can easily obtain very intrusive access rights by exploiting apps users normally consider safe.

The only downside of a Janus attack is that it cannot be performed by hosting malicious updates on the official Play Store, and attackers must lure users on third-party app stores and trick them into installing updates for legitimate apps.
Click to expand...

According to GuardSquare, the Janus vulnerability affects only apps signed with the app signature scheme v1. Apps signed with the signature scheme v2 are not affected.

In addition, Janus only affects devices running Android 5.0 and later. An Android update that patches phones against Janus is available for owners of Google smartphones. The rest of the Android pleb is at the mercy of mobile carriers.
Click to expand...
 
  • Like
Reactions: harlan4096, Solarquest and silversurfer
You must log in or register to reply here.

Similar threads

upnorth
    • +Reputation
    • Like
    • Wow
Android Malware steals credentials using Optical Character Recognition
Replies
0
Views
959
News Archive
upnorth
upnorth
MuzzMelbourne
    • Like
    • +Reputation
New AhRat Android malware hidden in app with 50,000 installs
Replies
0
Views
867
News Archive
MuzzMelbourne
MuzzMelbourne
LASER_oneXM
    • Like
    • +Reputation
Kyocera Android app with 1M installs can be abused to drop malware
Replies
0
Views
841
News Archive
LASER_oneXM
LASER_oneXM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top