Update your Android phones soon. New vulnerability named "Janus" allows attackers to modify apps without changing signatures

[captain_to_fire]

Sources: Android Police, Guard Square, Android Security Bulletin

 

Quote

GuardSquare, a security firm based in Belgium, published a report today about a vulnerability it discovered in Android. Nicknamed 'Janus,' it allows attackers to add additional content to an APK without breaking the signature. Normally, Android checks the signature of the APK file, and if it matches the previous signature, the app is compiled into a DEX file for running on the device. Janus works by combining an unmodified APK file with a modified DEX executable, which doesn't affect the app signature. The Android system would allow the installation, then start running code from the DEX header. Simply put, this would allow attackers to replace any app (ideally one with many permissions already granted, like system apps) with a malicious version.

 

So basically we're ending 2017 with security vulnerabilities. This time, tampering an Android app without changing signatures. The researchers from Guard Square says the following:

Quote

The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries). The JAR signature scheme only takes into account the zip entries. It ignores any extra bytes when computing or verifying the application's signature. On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc. A file can, therefore, be a valid APK file and a valid DEX file at the same time.

 

Another key element is a seemingly harmless feature of the Dalvik/ART virtual machine. In theory, the Android runtime loads the APK file, extracts its DEX file and then runs its code. In practice, the virtual machine can load and execute both APK files and DEX files. When it gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is. If it finds a DEX header, it loads the file as a DEX file. Otherwise, it loads the file as an APK file containing a zip entry with a DEX file. It can thus misinterpret dual DEX/APK files. An attacker can leverage this duality. He can prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime then accepts the APK file as a valid update of a legitimate earlier version of the app. However, the Dalvik VM loads the code from the injected DEX file.

 

Threats

An attacker can replace a trusted application with high privileges (a system app, for instance) by a modified update to abuse its permissions. Depending on the targeted application, this could enable the hacker to access sensitive information stored on the device or even take over the device completely. Alternatively, an attacker can pass a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications. The cloned application can look and behave like the original application but inject malicious behavior.

 

The Janus vulnerability affects recent Android devices (Android 5.0 and newer). Applications that have been signed with APK signature scheme v2 and that are running on devices supporting the latest signature scheme (Android 7.0 and newer) are protected against the vulnerability. Unlike scheme v1, this scheme v2 considers all bytes in the APK file. Older versions of applications and newer applications running on older devices remain susceptible. Developers should at least always apply signature scheme v2.

 

The vulnerability was reported to Google this July 31, 2017 and has released the patch to its partners in November and was released this December 5, 2017. Now, this begs the question, how many Android phones will receive this update? This reminds me a lot of that CCleaner malware where an attacker modified CCleaner but the digital signature remain unchanged and it can be used to execute other malware. Lucky for Android 7.0 Nougat and above users as apps signed using scheme v2 are protected from the vulnerability. Sucks for the rest who are still in Marshmallow and below.

As more and more phones are activated and connect online, threats will move to mobile as well. I can see a scenario when a hacker tampers a banking app like "Citibank app", sideload a keylogger into the APK and use that to steal login credentials and the hacker can now steal money from the individual or make purchases under their name. Some cybercriminals steal small amounts of money to avoid detection so it can go on for a very long time. 

 

To be fair, even something as locked down as iOS which is getting more and more popular among enterprise users, can get infected by malware as the findings from Symantec suggests although very rare as most iOS malware are targeting jailbreakers and Apple is very quick in patching vulnerabilities and keeping their iOS devices up to date for a long time. This somehow brings another issue of Android fragmentation. Too many Android devices but only a tiny fraction get security updates. You may think that your Android phone is fine as it has a built-in anti-virus called "Google Play Protect" as it turns out, Google Play Protect is kinda like Windows Defender when it comes to detection rates. https://www.computerworld.com/article/3236194/android/google-play-protect.html

 

Also, why did it take way too long for Google to patch the vulnerability? The bug was submitted to them in July but the patch only became available to OEMs in November. But as not to dismiss Android's security features, Google has implemented some new security features to deter ransomware infections by hardening the OS [video here].

Edited December 10, 2017 by iamdarkyoshi
Fixed for night theme users

[captain_to_fire]

As stated in the Symantec article I linked, there are a handful of iOS malware because of vulnerabilities:

Quote

• Via App Store (example known campaign includes XcodeGhost)
• Via malicious app using Apple-approved certificate (example known campaign includes AceDeceiver)
• Via sideloaded app (example known campaign includes Yispecter)
• Via jailbroken device (example known campaign includes Xsser mRAT)
• Via cable (example known campaigns include Wirelurker, Malicious Chargers)
• Via malicious settings (example known campaign includes Malicious Profiles)
• By leveraging an OS vulnerability (example known campaign includes Pegasus)

But then Apple has the advantage over many Android OEMs as Apple controls both software and hardware and they can quickly patch these vulnerabilities. So I'd rather say it's less likely to happen on up to date and not jailbroken iPhones.

Edited December 11, 2017 by wkdpaul
cleaned up

[captain_to_fire]

6 minutes ago, VegetableStu said:

EDIT to pre-empt: yeah anyone got a more up-to-date graph here? I thought the biggest slice was the most recent OS (and also assuming they're of phones that would most likely to be updated) but then I remembered it's Oreo ._.

Looks like only 18% of Android users are fine 

[DocSwag]

18 minutes ago, hey_yo_ said:

But then Apple has the advantage over many Android OEMs as Apple controls both software and hardware and they can quickly patch these vulnerabilities. So I'd rather say it's less likely to happen on up to date and not jailbroken iPhones.

I think it's also worth noting that because iOS isn't open source whereas android is, android vulnerabilities can be more easily detected just by looking at the code whereas you can't do that with iOS.

 

Same reason why Linux is secure. People can look over the source code.

 

Whether or not this actually makes it more secure is debatable though. While generally it's gonna be more secure because there are more people to detect bugs it also means it's easier for hackers to find vulnerabilities.

 

Once you include the fact that there are so many out of date android phones though... yeah, iOS is more secure (though that doesn't necessarily apply to android phones that are getting updates)

[Pesukarhu]

9 minutes ago, VegetableStu said:

how many people are SOL here...?

All my android devices are either gingerbread or jelly bean... Yeay?
(only one of them is still in use, LG-E440 with an RGB home button)

[captain_to_fire]

1 minute ago, DocSwag said:

(though that doesn't necessarily apply to android phones that are getting updates)

Rejoice Google Pixel users 

5 minutes ago, DocSwag said:

I think it's also worth noting that because iOS isn't open source whereas android is, android vulnerabilities can be more easily detected just by looking at the code whereas you can't do that with iOS.

Apple has a bug bounty though. https://developer.apple.com/bug-reporting/

I just hope they've fixed the problem of low payouts to further motivate security researchers (white hats and gray hats) to submit vulnerabilities to Apple. 

 

[Teddy07]

update? Good joke my friend!

 

My S2 doesn't receive updates for a few years now Not quite sure what hackers want to steal there since I have zero valuable information there.

[DocSwag]

1 minute ago, hey_yo_ said:

Apple has a bug bounty though. https://developer.apple.com/bug-reporting/

I just hope they've fixed the problem of low payouts to further motivate security researchers (white hats and gray hats) to submit vulnerabilities to Apple. 

I know that, what I was saying is that because android is open source it's easier for people to find bugs because they can just look at the source code to help them, whereas on iOS you can't do that 

[Doobeedoo]

Well, I'm protected. Still crossing my fingers for 8.0 on my S6 though. 

[Trixanity]

From what I can gather you're safe if you use the Play Store and if you enable unknown apps you'll be safe if you use APKmirror. In general I'd recommend disabling Unknown Apps and only toggle it when installing APKs but then disabling it after.

 

So in essence: you're safe even on unpatched system. 

 

Kids, don't download shit from unknown sources.

[WereCat]

Update on Android?

You mean... buy a new phone?

[handymanshandle]

1 hour ago, BuckGup said:

snip

1 hour ago, hey_yo_ said:

snip

Reasons why I might end up with an iPhone after my S8+ has had its run. Which I hope can be a bit longer than 2019 but 2019 could be it

[captain_to_fire]

2 minutes ago, wcreek said:

Reasons why I might end up with an iPhone after my S8+ has had its run. Which I hope can be a bit longer than 2019 but 2019 could be it

I'm actually considering to go back to Android and maybe get the S9 because of my disappointment with iOS 11 and that awful iPhone X design. I cancelled my order for the iPhone 8+ and waiting for something better. The chronological notification center of iOS 11 alone is a big mess and a big pile of poor design.

[AlTech]

1 hour ago, VegetableStu said:

snip

Android Updates != Security Updates.

 

Anybody on 5.1 Lollipop or newer should get the latest Security patches from OEMs and/or Google.

[AlTech]

57 minutes ago, Teddy07 said:

update? Good joke my friend!

 

My S2 doesn't receive updates for a few years now Not quite sure what hackers want to steal there since I have zero valuable information there.

for Samsung, I'm fairly certain anything newer than an S3 is currently receiving security updates.

[AlTech]

2 hours ago, hey_yo_ said:

Looks like only 18% of Android users are fine 

Actually, by my calculations 71% of people should theoretically be fine as long as OEMs follow procedure and consumers update their phone.

[Godlygamer23]

4 minutes ago, AluminiumTech said:

Android Updates != Security Updates.

 

Anybody on 5.1 Lollipop or newer should get the latest Security patches from OEMs and/or Google.

I have no updates whatsoever at the moment, and didn't install any updates either. Unless it's a silent update.

[handymanshandle]

5 minutes ago, AluminiumTech said:

for Samsung, I'm fairly certain anything newer than an S3 is currently receiving security updates.

My old S6 got a security update from Verizon back in like October. So yeah, security updates still exist for older stuff, don't know about that old but older for sure.

[AlTech]

6 minutes ago, Godlygamer23 said:

I have no updates whatsoever at the moment, and didn't install any updates either. Unless it's a silent update.

It requires the OEM to be committed to doing it.

 

Most phones that age should be eligible for it unless the OEM decides not to.

 

Also, as OP pointed out, the update to patch this isn't out yet.

[captain_to_fire]

24 minutes ago, AluminiumTech said:

Actually, by my calculations 71% of people should theoretically fine as long as OEMs follow procedure and consumers update their phone.

If only many of these Android OEMs commit to pushing out security updates like Google or even Blackberry. 

[captain_to_fire]

25 minutes ago, Godlygamer23 said:

I have no updates whatsoever at the moment, and didn't install any updates either. Unless it's a silent update.

What phone you currently have? The update should be available soon provided by OEMs. 

 

[Godlygamer23]

Just now, hey_yo_ said:

What phone you currently have? The update should be available soon provided by OEMs. 

HTC One M8.

[Trixanity]

36 minutes ago, AluminiumTech said:

Android Updates != Security Updates.

 

Anybody on 5.1 Lollipop or newer should get the latest Security patches from OEMs and/or Google.

Problem is they don't. They might get occasional updates but not monthly.

 

Case in point: I'm on a Huawei P10 Lite (budget device). I get updates every 3-4 months and the patch level is 2-3 months behind. I'm on the September patch which I got in November. 

 

If you're on a flagship device you might get monthly or regular updates in some fashion. The majority of OEMs don't commit to anything.

[vetali]

39 minutes ago, hey_yo_ said:

I'm actually considering to go back to Android and maybe get the S9 because of my disappointment with iOS 11 and that awful iPhone X design. I cancelled my order for the iPhone 8+ and waiting for something better. The chronological notification center of iOS 11 alone is a big mess and a big pile of poor design.

I disagree. I like to see every notification. Otherwise I miss messages.

31 minutes ago, AluminiumTech said:

Android Updates != Security Updates.

 

Anybody on 5.1 Lollipop or newer should get the latest Security patches from OEMs and/or Google.

Do carriers still "QA" these updates, which results in delayed updates that usually end up screwing up your phone? Looking at you, Verizon.

[SpaceGhostC2C]

4 minutes ago, hey_yo_ said:

What phone you currently have? The update should be available soon provided by OEMs. 

 

This the worst part of Android for me. Even worse, it's not necessary the OEM: sometimes it is, sometimes is up to your carrier... A perfectly informed consumer trying to be on the safe side may still be unpatched, because he can't do anything about it on his own.

And, for some reason, we are slowly bringing some of that logic to our desktops...

People often fantasize about the day handheld devices and "dumb" desk stations replace PCs as we know them, but these toys still have a long way to go before having a shot at the serious stuff...