New vulnerability of "Janus" - all Android smartphones from 5.1.1 to 8.0 are at risk

Employees from QuardSquare describe the new vulnerability in Android, which applies to version 5.1.1 to 8.0 inclusion. The reported gap in July has already been identified by the identifier CVE-2017-13156 and after running the APK installer allows you to modify any installed application (even system!) Without affecting the integrity of the digital signature. Security patches came to December's Google security update. Of course, only a few will get it (but you know it for sure). In fact, the susceptibility of "Janus" applies to as many as 74% of smartphones on the market and is similarly critical from a security point, as is the vulnerability of Blueborne , Stagefright , Metaphor or Quadrooter .

Janus - the APK file is not what it is given for

Researchers explain that Android applications are in fact "ZIP" files with the extension ".APK" (Android Package Kit), so they can be unpacked using popular decompression programs, such as WinRAR or 7-ZIP. The vulnerability results from the possibility of introducing additional bytes for the DEX (Dalvik Executable) file in the APK file.

The scheme of operation of the Dalvik community and its successors - ARTICLE

The DEX file can be entered into the APK file without affecting the digital signature. The Android system "accepts" this operation as an update of an earlier version of the application. An attacker can use this to hide a dangerous charge - which unfortunately will not be treated as harmful - or to update the application without the developer's knowledge.

Trend Micro explains that placing malicious code in the DEX file at the beginning of the APK file will trigger the virus in vulnerable versions of Android.

Since the APK file is treated as a ZIP archive, it is possible to add any bytes at the beginning of the file or between data sequences. A virtual machine (DalvikVM) responsible for running applications on Android first loads the APK file, then loads the DEX file from it and runs the code. This means that the virtual machine can load into memory and run the dangerous code contained in the DEX file.

Vulnerability was reported by researchers in July 2017. Security update appeared a few days ago. Trend Micro found one sample of malware using Janus' vulnerability. The malicious application has already been removed from the Google Play store.

Split the APK file into parts

There was one more trick with APK files - Malware authors could use the bug in the Google Chrome mobile browser in another case. Normally, when downloading a file, the user must allow the downloading of data. However, the APK file can be split into 1024-byte pieces that are passed to the save function via the Blob () class. Now, without the user's knowledge, the application will save on the device piece-by-piece. After downloading, the file will be reconstructed into a malicious application. The weakest link in this trick is interaction with the user - without installing the program, the Trojan will simply remain on the smartphone in the form of a harmless file. However, this does not change the fact that the technique of downloading the resource from a remote server to a mobile device (and without interaction with the user) has been used in real attacks .

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.