Janus vulnerability allows to circumvent the protection of APK digital signature

Jesse Han   2017.12.11 6:57   Jesse Han  

In general, if we install an authentic version of an update of an app, Android uses a method which only the original developer can assign to verify the digital signature of the app file. In case of modified app file, the signature is different and installation of the update is prevented.

Janus vulnerability , however, allows to circumvent this protection. It allows attacker to add dangerous code within the original APK and release it on the web with a counterfeit authentic signature. In this way, modified app can be easily installed without realizing the danger since the update show the same signature as the app already installed.

You know, it is quite evident that this can be a considerable danger, because a modified APK could contain malware that could steal personal data or perform other operations on the victim’s device.

Fortunately, the new signature scheme was introduced in Android 7.0 Nougat and later, the devices powered by new Android version are thus relatively safety. But the same can not be said for earlier Android versions.

The Mountain View has already released a bug fix in December Android security patches, but so far there are still very few devices can receive the update. So if you have a mobile device with an older Android version, you should note that only install apps from secure sources.