Android, since its first release, has required developers to sign their applications, so that the developers don’t have to worry about modified APKs causing problems, and users are kept secure. Well, until today.
GuardSquare, a security firm based in Belgium, has found out a vulnerability in Android. Nicknamed ‘Janus,’ it allows attackers to add additional content to an APK without without affecting its signature.
The word ‘Janus’ is named after the Roman god of duality. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time and it stems from the possibility to add extra bytes to APK files and to DEX files.
The Janus vulnerability works by combining an unmodified APK file with a modified DEX executable, which doesn’t concern the application signature. The Android system, after checking the signature, would allow the installation. In simple words, this allows attackers to replace any app a malicious version.
The scope of this vulnerability, though, is fairly limited, as it only affects apps signed with Android’s original JAR-based signing scheme, which was replaced with Signature Scheme v2 in Android 7.0 Nougat. And this also only concerns apps downloaded from outside the Play Store.