Attackers Exploit Android Application Package Flaw to Hide Malware

Attackers have started to exploit a vulnerability patched this month in Android that enables the bundling of malware with Android application files (APKs) and evading antivirus products.

The vulnerability, known as Janus and identified as CVE-2017-13156, was privately reported to Google in July by researchers from mobile security firm GuardSquare. Google included a patch for it in its December Android security bulletin, after sharing it in advance with device manufacturers.

The flaw enables modifying apps without breaking their digital signatures and stems from the way in which the Android Runtime (ART) loads Dalvik Executable Format (DEX) files.

A traditional Android application consists of Java classes and other resources inside a ZIP archive with the extension APK. The ZIP format itself contains file entries and a central directory with information about those entries.

When a file is signed using the traditional JAR (Java Archive) signature model, the signature is only applied to the file entries defined in the ZIP’s central directory. If any of those files are later altered, the signature is broken.

In the Android ecosystem, signatures are important for application updates because only properly signed APKs are allowed to replace an already installed application. If attackers are able to bypass the signature integrity check, they can replace existing applications on a user’s phone with malicious versions, gaining access to their permissions and sensitive data, which is supposed to be protected under the Android security model.

It turns out that when the Android Runtime parses an APK for installation, it looks for magic bytes to determine if it contains a DEX—compiled Dalvik bytecode that’s essentially java classes packed in a single file. If such a file is encountered, it is executed, and the rest of the APK is ignored.

Therefore, attackers can inject a DEX file into the header of a legitimate APK and trick the ART compiler to execute it without breaking the signature of the APK file, because the signature only applies to files defined in the archive’s central directory, not in its header.

In addition to deploying rogue application updates, the Janus vulnerability can also be used to hide a malicious payload from security programs. For example, a malicious APK can have a clean DEX file in its header with its only purpose being to load malicious resources from the rest of the APK. Like with Android’s ART, some security products might only see and scan the DEX code, which will be clean, ignoring the rest of the APK.

Additionally, researchers from security firm Trend Micro have found a Trojan application in the wild that uses this technique. The Trojan masquerades as a news app but is not currently hosted on the Google Play store.

“The malware used the vulnerability for dynamic code loading,” the Trend Micro researchers said Tuesday in a blog post. “The embedded DEX file contains only a small payload that decrypts the actual payload from various assets and dynamically loads it.”

“Malicious DEX code embedded in normal apps are capable of evading many security solutions,” the researchers warned. “Enterprise MDM solutions may not detect these apps either, and they are also vulnerable to being modified by malicious apps. Vendors have to improve their ability to scan and detect malicious Android apps.”

Google introduced a new signature scheme (version 2) in Android 7.0 (Nougat) that prevents such attacks, but most developers use both signature schemes in their applications for backward compatibility reasons. If a file has a version 2 signature and is installed on Android 7 or later, the attack won’t work because the signature will also be applied to the header. However, if the APK is installed on an older version of Android, which is still used on a very large number of devices, version 1 of the signature scheme will be used.

“Until Nougat is rolled out to more devices, we recommend that developers continue with mixed signing,” the Trend Micro researchers said.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin