Since the first release, Android has required developers to sign their applications. When you update an app, Android will compare the update’s signature to the existing version. If they match, the app update will install. This way, developers don’t have to worry about modified APKs causing problems, and users are kept secure.
GuardSquare, a security firm based in Belgium, published a report today about a vulnerability it discovered in Android. Nicknamed ‘Janus,’ it allows attackers to add additional content to an APK without breaking the signature. Normally, Android checks the signature of the APK file, and if it matches the previous signature, the app is compiled into a DEX file for running on the device. Click here for apk hacks.
Janus works by combining an unmodified APK file with a modified DEX executable, which doesn’t affect the app signature. The Android system would allow the installation, then start running code from the DEX header. Simply put, this would allow attackers to replace any app (ideally one with many permissions already granted, like system apps) with a malicious version.
It’s worth noting that the scope of this vulnerability is fairly limited. It only affects applications signed with Android’s original JAR-based signing scheme, which was replaced with Signature Scheme v2 in Android 7.0 Nougat. On newer devices, attackers could only take advantage of apps not using the newer signing method (which mostly consists of old third-party apps).