Since the first release, Android has required developers to sign their applications. When you update an app, Android will compare the update's signature to the existing version. If they match, the app update will install. This way, developers don't have to worry about modified APKs causing problems, and users are kept secure.
GuardSquare, a security firm based in Belgium, published a report today about a vulnerability it discovered in Android. Nicknamed 'Janus,' it allows attackers to add additional content to an APK without breaking the signature. Normally, Android checks the signature of the APK file, and if it matches the previous signature, the app is compiled into a DEX file for running on the device.
Janus works by combining an unmodified APK file with a modified DEX executable, which doesn't affect the app signature. The Android system would allow the installation, then start running code from the DEX header. Simply put, this would allow attackers to replace any app (ideally one with many permissions already granted, like system apps) with a malicious version.
It's worth noting that the scope of this vulnerability is fairly limited. It only affects applications signed with Android's original JAR-based signing scheme, which was replaced with Signature Scheme v2 in Android 7.0 Nougat. On newer devices, attackers could only take advantage of apps not using the newer signing method (which mostly consists of old third-party apps). Also, this is only a concern for apps downloaded from outside the Play Store.
GuardSquare reported this vulnerability to Google on July 31, and the fix is included in the December 1 security patch level. We have also patched the vulnerability on APKMirror, so applications modified with this method will not appear on the site. In addition, we have verified that no modified app was ever uploaded to APKMirror. You can find more information about Janus at the source link below.