Greetings fellow hackers, my name is Sandy, Security Analyst and Bug bounty hunter. As I’m presently engaged in Android penetration testing, I’d like to relay my experiences with you, as they may prove beneficial in addressing some of the inquiries, I had difficulty resolving answers too, without more introductions let’s get started.
Janus vulnerability, also known as “Android Janus Attack,” is a security flaw that affects Android devices running versions 5.0 through 7.1.2 (Lollipop, Marshmallow, and Nougat). It allows attackers to modify the code of legitimate Android apps without changing their digital signature, potentially allowing them to take control of the device.
The vulnerability is caused by a flaw in the Android operating system’s APK signature verification process. APKs (Android Application Packages) are the file format used to distribute and install Android apps. The signature verification process is supposed to ensure that the app has not been tampered with and is from a trusted source. However, the Janus vulnerability allows attackers to add malicious code to the APK file without affecting the signature, which means that the modified app will still appear to be legitimate.
Attackers can use this vulnerability to create malicious apps that appear to be legitimate, such as a banking app or a social media app. When the user installs the app, the malicious code can then take control of the device and steal sensitive information, such as passwords or credit card numbers.
The Janus vulnerability was discovered by security researchers in 2017, and Google has since released a patch to address the issue. However, it is important for Android users to keep their devices up-to-date with the latest security patches and to only download apps from trusted sources to minimize the risk of falling victim to this vulnerability.
The name “Janus” comes from the fact that the vulnerability allows an attacker to create a “dual-faced” APK that appears legitimate when inspected by Android’s built-in security measures, but contains hidden code that can be executed by an attacker.
Google released a patch for the vulnerability as part of its Android security updates in February 2018. It is important for Android users to keep their devices up to date with the latest security patches in order to protect against vulnerabilities like Janus.
Google Play has strict policies when it comes to security vulnerabilities like Janus. Any app found to contain such a vulnerability is considered a violation of Google Play’s developer policies, which require apps to be secure and not harm users or their devices.
Google Play has a number of security measures in place to protect users from malicious apps, including automated systems that scan apps for security vulnerabilities before they are published on the platform. In addition, Google Play requires developers to follow certain security best practices, such as using secure coding practices, properly implementing encryption, and avoiding the use of known vulnerable libraries.
If an app is found to contain a Janus vulnerability or any other security issue, Google Play may take a number of actions, including removing the app from the platform, notifying users of the issue, and potentially suspending or banning the developer’s account.
It is important for developers to take security seriously and follow best practices to ensure their apps are safe and secure for users.
Affected Versions
The Janus vulnerability in Android affected devices running Android 5.0 (Lollipop) and later versions, up to and including Android 7.1.2 (Nougat). This vulnerability was first discovered in 2017 and was assigned the CVE identifier CVE-2017–13156.
Practical Exploitation
In short, Applications that are marked exclusively with v1 when introduced on gadgets having android version(5.0 — — 8.0) are powerless against Janus Weakness.
The Janus Vulnerability affects applications that are signed with version 1, version 2, version 3, or both when installed on devices running Android versions 5.0 to 7.0.
To exploit this vulnerability we need to have a device running a vulnerable version of android and android patch level should be less then 2017 December 01.
To begin, let’s learn about the signature schemes:
To identify the application’s signature methods, we employ the apksigner tool.
$ apksigner verify -verbose app.apk
Since the apk has only been signed with v1 and lacks v2 or v3 signature schemes, it presents an opportunity to exploit the Janus vulnerability using this application.
To ensure that this application can exploit the Janus vulnerability on Android versions 5.x, 6.x, 7.x, and 8.0 (API level 21–26), we need to determine the minimum Android version on which it can run. We can accomplish this by using the apktool.
$ apktool -s d app.apk && cat app/apktool.yml | grep minSdk
So we need a dex to inject into our vulnerable application, so lets download any apk and extract classes.dex file from the Sample.apk using :
$ apktool -s d Sample.apk && mv Sample/classes.dex
Now, we’veclasses.dex train from “Sample.apk ” and “app.apk ” our target operation.
To Inject this classes.dex file into our application. We use ari5ti’s exploit code to inject a dex file into apk.
$ ./Janus.py classes.dex app.apk
Now, we will see how this app.apk looks before exploiting it. I am using Android 7.1 as my vulnerable device.
After examining how our weak application seems, let’s update it with the apk we injected.
from mobile, open file manager, goto sdcard and click on app.apk
Click install, to install the update and “Open”.
We have successfully exploited the application. “app” crashed, because we injected the dex file of sample.apk into app.apk.