recently, Google in December released the Android security Bulletin disclosed a named "Janus" Android Vulnerability (vulnerability number: cve-2017-13156). The vulnerability could allow an attacker to bypass the signature scheme V1 signature mechanism of the Android system and directly tamper with the app. And because other security mechanisms on Android are based on signature and checksum, the vulnerability is equivalent to bypassing the entire security mechanism of the Android system. Once an attacker has placed counterfeit apps with malicious code into third-party apps such as the Android store, they can be downloaded and updated instead of the original app. After installing these counterfeit apps, netizens will not only disclose personal information such as individual accounts, passwords, photos, files, etc., but also the mobile phone is more likely to be implanted with Trojan virus, which may lead to the phone being rooted or even remotely manipulated. after monitoring the "Janus" vulnerability for the first time, the top image technology updates the Security SDK's defense strategy in a timely manner, and is the first to release a protection plan against the vulnerability, to help protect users from the threat of attack based on the vulnerability. analysis shows that the Android 5.0 to 8.0 system and apps based on the signature scheme V1 signature mechanism are affected by the "Janus" vulnerability, while apps based on the V2 signature of signature scheme are not affected. Android
users:1, upgrade to the latest version of Android system as soon as possible;2, in the short term, as far as possible to the official website update, download app.
Android Developer:1. Upgrade the app APK (install package) to the latest signature scheme V2 signature mechanism as soon as possible.2. Check the start byte of the app apk file in time to ensure the app has not been tampered with;3, the top image technology "Security SDK" to update the defense mechanism, can effectively protect the vulnerability.
What is the cause of the "Janus" vulnerability outbreak? to enhance the security of Android, Google has released a new signature authentication system, signature scheme V2. Because the signature scheme V2 needs to republish the app, and a large number of existing apps apk cannot use the V2 checksum mechanism, so in order to guarantee forward compatibility, the V1 check mode is retained, which leads to the "Janus" vulnerability. Why does Google publish Signaturescheme V2? Then take a look at some of the security issues that have emerged in recent years in the Android system. Over the
years, the Android system has burst out a signature loophole
"Masterkey" vulnerability"Janus" is a signature and checksum vulnerability , in fact, this is not the first time that Android burst such a vulnerability. On Black hat in 2013, Bluebox's security team released a "masterkey" vulnerability. The vulnerability could include the latest Android 6.0 system and all of the following systems. So, how did these loopholes come into being? The "Masterkey" vulnerability principle is based on multiple zipentry within the APK (zip file format), as follows:1. Add an attack Classes.dex file to the front of the original app apk (a);2. The Android system calculates the hash value of a file at check time and saves it with "Classes.dex" string as key;3. Then Android calculates the original Classes.dex file (B), and again with the "Classes.dex" string as the key to save, this save will overwrite the hash value of a file, causing the Android system to think that the APK has not been modified to complete the installation;4. When the APK program runs, the system takes precedence over the a file found first, ignoring B, resulting in a vulnerability.
Repair Method:It is forbidden to install multiple APK files with the same name ZipEntry.
"9695860" vulnerabilityMasterkey Vulnerability burst shortly after, the domestic "Android security Detachment" again burst a similar loophole. This is a very delicate loophole: it exploits a hole in the zip local file header when it is calculated.
Specific reasons:1. Replace the Classes.dex file B in the original apk with the attack file a, and add a extrafield with a size of 0xFFFD;2. Remove the original Dex file B from the first 3 bytes to write the ExtraField;3. Android system in verifying the signature is used in the Java code short, the 0xFFFD to 16-bit with a symbolic shape to parse the way to 3, and resolve the original file b,android that the program apk no modification, normal installation;4. When executing, the system uses C code uint16, and 0xFFFD is 16-bit unsigned, which gets attack file B. The trick here is that the Dex file begins with a ' Dex ' string, and Classes.dex ends with a value of 3 to overlap the two in the file, so it also limits "9695860" The vulnerability could only be exploited against classes.dex.
"9950697" vulnerabilityshortly after the "9695860" vulnerability burst, a similar cosmetic overflow vulnerability was found in the APK file, which is easier to exploit than the "9695860" vulnerability and can attack any file in the APK. The reason is that Android defaults to the LocalFile header in zip and the length of the file name in central directory entry is consistent with the length of the extra. During the installation of Java code in the process of overflow, read to the normal file B, through the check, apk normal installation. During the run, the C code is processed without overflow and read to the attack file a.
Google has released the signature scheme V2 signature mechanismthe above series of loopholes are all in the Jarsigner mechanism based on the signature and check mechanism signature scheme V1 appear. Google is also aware of the flaws in the mechanism, so it has released a redesigned siginature scheme V2 signature mechanism. siginature Scheme V2 apk file The entire contents of the signature, the target is any modification to the APK will lead to the failure of the test. currently signature Scheme V2 is supported in Android 7.0 system and above. The
attack principle and utilization process of "Janus" vulnerability
Attack principle1, Android in 4.4 introduced a new virtual machine art, the virtual machine has been redesigned to achieve a large number of optimizations, improve the operational efficiency of the application. One of the technical points associated with "Janus" is that art allows you to run a raw Dex, a purely Dex file, without having to wrap a layer of zip outside. The former Dalvik virtual machine for art requires Dex to be wrapped inside a zip and named Classes.dex to run. Of course, art also supports running the Dex file wrapped inside the zip, to distinguish whether the file is zip or Dex, judging by the Magic field of the file header: The zip file starts with ' PK ', and the Dex file begins with ' Dex '.2, the zip file is read by locating the Central directory at the end of the file, and then locating the respective ZIP entry through the index inside, each of which corresponds to a file after each entry decompression.
Extent of Impact1. Various versions of the Android 5.0-8.0 system;2. Use the Android Signaturescheme V1 signed app apk file.
Utilization Process1. An attacker could place an attacking Dex file to the start of the apk file A;2. Android system in the installation with a zip reading mechanism from the end of the file read, read the original apk content, and in a V1 way to verify that the file is normal, no tampering, apk installation success;3. At runtime, the Android art virtual machine reads from the file header, discovers that it is a Dex file, executes directly, and the attack file A is eventually executed.
poses a threatThe apk can be modified without the APK owner's certificate, and the bypass check mechanism is installed on the user's phone, which may result in the following:1. Read the data stored on the original phone, such as the bank password, payment password, token of the financial app, chat record of the communication app, picture, correspondence recording2. User input to do a variety of monitoring, interception, fraud, guide users to enter the password, transfer. 3. Exploit this vulnerability to update Android's system app, get higher system privileges, even root/jailbreak, prepare for other attacks
the protection and repair suggestion of top image technologyTop image technology has been focused on mobile, the various risks on the web side, and the business threats of each platform. Timely analysis and monitoring of loopholes and threats, and do a good job of targeted protection measures, thus accumulating a large number of black-and-grey production against the actual combat experience. Top image technology to the "Security SDK" to share these experiences with the user, so as to help users to establish an efficient defense system, effective defense against a variety of new and complex malicious attacks and threats. When the "Janus" vulnerability is monitored in the first time, the top image technology updates the Security SDK's defense strategy in a timely manner, and takes the lead in releasing a security protection scheme for the vulnerability to help protect users from the threat of attack based on the vulnerability.
Android users:1, upgrade to the latest version of Android system as soon as possible;2, as far as possible to the official website updates, download the app, in the short term without using the third Fang Andro app market update or download app.
Android Developer:1, the app apk upgrade to the latest signature scheme V2 signature mechanism;2. Developers check the start byte of the app apk file in time to ensure the app has not been tampered with;3. Use the Security SDK provided by the top image technology to protect against this vulnerability. Top Elephant technology is the Internet Business Security Guide, is committed to creating 0 of the risk of the digital world, was founded in April 2017, Sequoia Capital China fund member Enterprises. Top image technology with leading wind control technology and intelligent terminal Security technology, its pioneering "shared security" concept has become a new generation of security products standard architecture. Through the Panorama business security Wind control system, no sense verification, virtual machine source protection, security SDK and other programs and products, to give e-commerce, finance, IoT, aviation, gaming, social and other enterprises to provide bat-level business security capabilities, so that the platform and users from while tares wool, transaction fraud, account theft, content is malicious crawling, Threats such as systems and apps that are compromised. * More business security class technology sharing, please focus on the top Elephant official blog:https://www.dingxiang-inc.com/blog
Exclusive analysis: The production principle and utilization process of Android "Janus" vulnerability
