Android recently disclosed the Janus vulnerability, which enabled the injection of malicious code into reputable...
apps, infecting the endpoint of any user who downloaded it. How does this vulnerability work and how can it be prevented?
Some users have suggested the use of whitelisting -- allowing only approved and signed executables to be installed or run on a system -- as a solution to combat Android malware like the Janus vulnerability that was discovered and patched in 2017. Using signed executables via an app store could meet this need because, in theory, it can prevent malware from infecting an endpoint. If the malware can't execute on the endpoint, then it can't exploit the endpoint to install the malware payload.
However, several critical assumptions on which this statement relies might not always be true. One assumption is that a properly signed file is not malware; another is that you can't change a signed file. Malicious actors have been able to create malware with valid signatures, and one signed file running on Android 5.0 and above had malicious content added to it.
The app was available in a third-party Android app store and contained malware and other files, including unsigned malicious code. GuardSquare found the vulnerability, named the Janus vulnerability, which allows attackers to bundle a separate file with a legitimate signed file, and which can be run on a targeted device to compromise the security of the system. The malicious file can even be used to replace an application that has already been installed and to use the existing permissions of the application.
Part of this Android vulnerability is that the signature on the file does not cover the entire file.
Android 7.0 and newer devices that use the Android Package signature scheme version 2 for authentication are not vulnerable to this Android vulnerability, and Google has already patched the vulnerability in Android 5, but most users will need to wait until their carrier pushes the patch.
In order to reduce the chance of a malicious file being downloaded, users should not download applications from outside of the official Google Play app store.
Some whitelisting tools are not vulnerable to attacks like this and do not rely on these assumptions. Users should evaluate how their tools handle signed malware and how their files have been changed after they were originally signed.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Software and application security
Related Q&A from Nick Lewis
The Qihoo 360 Core Security team found a Microsoft vulnerability -- named Double Kill -- that affects applications via Office documents. Learn how ... Continue Reading
IBM X-Force found MnuBot -- a new banking Trojan -- manipulating C&C servers in an unusual way. Learn how this is possible and how this malware ... Continue Reading
Researchers at Trend Micro found a new strain of malware -- dubbed FacexWorm -- that targets users via a malicious Chrome extension. Discover how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.