We have gotten used to seeing malicious applications in Google Play Store. However, we feel obligated not to let this news slip as well: after all, our duty is to inform our readers. And now, millions of Android devices are facing a severe danger. A vulnerability called Janus (CVE-2017-13156) has been discovered by researchers from GuardSquare. The official discovery dates back to summer of 2017, but a fix for this vulnerability was officially released quite recently in December.
A fix for this flaw is included into the Android Security Bulletin. However, not all Android devices can enjoy that feeling of security that a patch gives. Most of the Android users won’t be receiving fixes for these security issues for a couple of months. To be more specific: manufacturers of Android devices will have to take some time before introducing well-adjusted updates.
As soon as the vulnerability was discovered, researchers from GuardSquare informed Google of the flaw. In the official blog post from the GuardSquare, their main concern was (and is) that a file can be a valid APK and valid DEX file at the same time. Because of this Janus flaw, crooks can add additional codes to an APK file without leaving any traces on the app’s signature.
Basically, the flaw allows crooks to modify codes of random applications. However, during this modification, Android apps feature the same signature verification certificate as before, meaning that the program will seem as if nothing had happened to it. The vulnerability affects devices that use APK signature scheme v1, ran on devices with Android versions 5 (Lollipop) and 6 (Marshmallow).
Security analysts emphasize that due to this vulnerability, vicious people could add malicious codes into an APK archive. While you will assume to be downloading a properly pre-checked and validated program, you might be actually installing an Android app which has been significantly influenced by suspicious parties. If such maliciously modified applications would start to circulate on the Internet, it could allow hackers to initiate various types of attacks.
It is recommended that manufacturers would hurry up with the appropriate update for their devices. It has been recommended that people would apply signature scheme v2 in order to strengthen Android devices.
Source: guardsquare.com.
