Android Security Bulletin—December 2017

ronjor · Dec 5, 2017

Published December 4, 2017

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2017-12-05 or later address all of these issues. To learn how to check a device's security patch level, see Check & update your Android version.
Click to expand...

Minimalist · Dec 8, 2017

Among the four dozen vulnerabilities Google patched this week was a fix for a bug that allowed attackers to inject malicious code into Android apps without affecting an app’s signature verification certificate. The technique allows an attacker to circumvent device anti-malware protections and escalation privileges on targeted devices with signed apps that appear to be from trusted publishers, according to researchers.

The vulnerability, dubbed Janus, was discovered earlier this summer by Eric Lafortune, CTO of GuardSquare. He reported the bug (CVE-2017-13156) to Google in July. Google patched the vulnerability as part of its December Android Security Bulletin. Public disclosure of the bug was Thursday.
Click to expand...

https://threatpost.com/android-flaw-poisons-signed-apps-with-malicious-code

Dermot7 · Dec 27, 2017

We have found at least one app in the wild using this technique. This particular version of the app used the vulnerability to make itself more difficult to detect by mobile security solutions. It’s possible that it could be used in the future to compromise other apps and access the information of the user.
Click to expand...

Janus Android App Signature Bypass Allows Attackers to Modify Legitimate Apps - TrendLabs Security Intelligence Blog

Log in or Sign up

Android Security Bulletin—December 2017

ronjor Global Moderator

Minimalist Registered Member

Dermot7 Registered Member

Log in or Sign up

Android Security Bulletin—December 2017

ronjor Global Moderator

Minimalist Registered Member

Dermot7 Registered Member

Useful Searches