lolloj - Fotolia
Android recently disclosed the Janus vulnerability, which enabled the injection of malicious code into reputable apps, infecting the endpoint of any user who downloaded it. How does this vulnerability work and how can it be prevented?
Some users have suggested the use of whitelisting -- allowing only approved and signed executables to be installed or run on a system -- as a solution to combat Android malware like the Janus vulnerability that was discovered and patched in 2017. Using signed executables via an app store could meet this need because, in theory, it can prevent malware from infecting an endpoint. If the malware can't execute on the endpoint, then it can't exploit the endpoint to install the malware payload.
However, several critical assumptions on which this statement relies might not always be true. One assumption is that a properly signed file is not malware; another is that you can't change a signed file. Malicious actors have been able to create malware with valid signatures, and one signed file running on Android 5.0 and above had malicious content added to it.
The app was available in a third-party Android app store and contained malware and other files, including unsigned malicious code. GuardSquare found the vulnerability, named the Janus vulnerability, which allows attackers to bundle a separate file with a legitimate signed file, and which can be run on a targeted device to compromise the security of the system. The malicious file can even be used to replace an application that has already been installed and to use the existing permissions of the application.
Part of this Android vulnerability is that the signature on the file does not cover the entire file.
Android 7.0 and newer devices that use the Android Package signature scheme version 2 for authentication are not vulnerable to this Android vulnerability, and Google has already patched the vulnerability in Android 5, but most users will need to wait until their carrier pushes the patch.
In order to reduce the chance of a malicious file being downloaded, users should not download applications from outside of the official Google Play app store.
Some whitelisting tools are not vulnerable to attacks like this and do not rely on these assumptions. Users should evaluate how their tools handle signed malware and how their files have been changed after they were originally signed.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Software and application security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.