back to article Android flaw lets attack code slip into signed apps

Researchers say a recently patched vulnerability in Android could leave users vulnerable to attack from signed apps. The vulnerability, dubbed Janus, would allow a malicious application to add bytes of code to the APK or DEX formats used by Android applications without affecting the application's signature. In other words, a …

  1. Anonymous Coward
    Anonymous Coward

    I guess Samsung users will see this patched sometime in January 2099.

    1. WolfFan Silver badge

      That soon? Are you sure?

    2. Anonymous Coward
      Anonymous Coward

      They don't need to, the attack vector is tiny. This is pure clickbait.

    3. TheVogon Silver badge

      Plenty of malware makes it to the PlayStore without needing any vulnerabilities!

      1. Anonymous Coward
        Anonymous Coward

        If you believe what you read on the internet, yes sure... Back here in the real world, we rely on facts and evidence....

        1. TheVogon Silver badge

          "Back here in the real world, we rely on facts and evidence...."

          Like this you mean:

          https://www.grahamcluley.com/ztorg-sms-android-malware/

          or this

          https://www.grahamcluley.com/calljam-malware-infects-androids-keeps-ringing-premium-rate-numbers/

          or this

          http://www.zdnet.com/article/android-malware-in-google-play-racked-up-4-2-million-downloads-so-are-you-a-victim/

          1. Anonymous Coward
            Anonymous Coward

            Yep, click bait bloggers getting their ad impressions up.

            How many real world incidents do you know of. Pretty much everyone I know has an android phone, and absolutely no problems at all. Your links are hypothetical fud stories, and if you can't see that, then you really are quite gullible.

            1. TheVogon Silver badge

              I got hit by one of these in a wallpaper app that signed me up for premium rate services. They are real. My phone is not rooted and I only use the PlayStore. And I posted about it on the reg forums a couple of months ago when it happened in case you want to claim I'm making it up to support this post ....

              1. Anonymous Coward
                Anonymous Coward

                You mean you went looking for ....

            2. RyokuMas Silver badge
              Mushroom

              History repeating

              "Pretty much everyone I know has an android phone, and absolutely no problems at all."

              Pretty much everyone I knew back in the late 90s/early 2000s had a windows PC. Sure we had all heard of these viruses that could exploit vulnerabilities, but everyone we knew had had absolutely no problems at all.

              Then one day, one poor unfortunate soul we knew of managed to infect his works' systems with the Sircam worm...

              So go ahead - keep on drinking that Google kool-aid, with you hands over you ears, your eyes shut and screaming "la la la, everything's ok"... I guarantee you that sooner or later, everything will end up not being okay, and your blase attitude will come back to bite you on the arse - unless, of course, the one here actually spreading the FUD (or rather, sowing the seeds of ignorance) is yourself.

  2. Sergey 1
    Pint

    GuardSphere?

  3. Kevin McMurtrie Silver badge

    I thought this was announced years ago. Did somebody lose the JIRA ticket for it?

    1. LDS Silver badge

      If it was announced years ago, why the CVE is created on December 6, 2017?

      The Google Squad tasked with downplaying any Android issue looks very busy... if it's not made by bots.

  4. Bob Vistakin
    Holmes

    Woah - the clue is in the earlier fix

    So someone reads a bugfix list which Google released, saw it corrects an older problem, then "announces" they, themselves, personally using all their expert security skills, have found a vulnerability which, err, only affects older versions?

    Way to go, Sherlock.

    1. Dr Mantis Toboggan

      Re: Woah - the clue is in the earlier fix

      Still puts cheap advertising impressions, that is the name of the game

  5. kain preacher Silver badge
    Joke

    See that would of never happen on a windows phone.

    1. kain preacher Silver badge

      wow the one windows phone owner is sensitive.

    2. Anonymous Coward
      Anonymous Coward

      Indeed, there is no signature enforcement at all on windows, its the true wild west, you can literally run anything. (Well nothing, as its got no apps)

      1. Anonymous Coward
        Anonymous Coward

        "Indeed, there is no signature enforcement at all on windows,"

        There is on Windows PHONE. Numerous security experts have found it to be the most secure mobile platform versus Android and IOS

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019