The Android ecosystem is growing, but still has security issues that may have compromised millions of devices.
A critical vulnerability has been discovered. Dubbed 'Janus', it allows attackers to secretly overwrite legitimate applications installed on users' smartphone with their malicious versions.
This is made possible due to the way Android handles APK installation for some apps, leaving a possibility to add a few extra bytes of code to an .apk file without affecting the application's signature.
When an app wants to be updated, Android device checks APK header information to determine if the archive contains code in the compressed DEX files.
If the header has APK archive that contains DEX files, the virtual machine decompiles the code accordingly and executes it. Otherwise, it runs the code as a regular APK file.
However, it turns out that an APK archive can contain DEX files, as well as regular application code simultaneously, without affecting its validity and signatures.
Researchers found that this ability to add extra bytes of code due to lack of file integrity checking, allows hackers to add malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures.
"When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update," explained GuardSquare.
This tricks app installation process to execute both code on the targeted device without being detected.
After creating malicious but valid versions of legitimate applications, apps should work like the originals, but the added codes allows hackers to distribute various attack vectors, including spam emails, third-party app stores delivering fake apps and updates, social engineering, and even man-in-the-middle attacks.
"The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get an unverified code with powerful permissions installed on the devices of unsuspecting users."
The vulnerability (CVE-2017-13156) was first by security researchers from mobile security firm GuardSquare, and it has been reported to Google.
Google worked quickly, and has patched the flaw, among other four dozen of vulnerabilities, as of December 2017.
But here is another problem, a common one that has been Android's issue over the years of its inception. The mobile operating system is open-source, and is used by a variety of smartphone brands.
As a result, most Android users won't receive these patches for at least a few months after Google rolls out the update. Because device manufacturers (OEMs) release their own custom updates for them, the process will take even longer, leaving a large number of smartphone users vulnerable to hackers.
The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 Lollipop and 6 Marshmallow. Android 7 Nougat which uses signature v2, is not affected.
As a precaution, users should never install apps and updates outside of Google Play store. Researchers also advised Android developers to use signature scheme v2 in order to ensure their apps cannot be tampered with.