We've moved quickly to protect APKMirror.com users from the "Janus" Android vulnerability disclosed by GuardSquare today.

1. https://www.apkmirror.com is now fully patched against any such modified APKs.

2. All existing hosted APKs are safe, and we found 0 Janus-modified APKs.

Screenshot of a Janus-modified APK upload attempt: https://i.imgur.com/Fb1rZUR.png.

Now for more info.

Earlier today, GuardSquare published a disclosure about a serious bug in Android's APK verification that could allow attackers to tweak APKs without tripping signature verification. https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

* See CVE-2017-13156 disclosed here https://source.android.com/security/bulletin/2017-12-01#system.
* The AOSP fix is here: https://android.googlesource.com/platform/system/core/+/9dced1626219d47c75a9d37156ed7baeef8f6403.

December 2017 patch level and above is protected, but everything earlier is vulnerable, so it was very important to make sure APKMirror.com does not allow such modified APKs.

PoC (proof-of-concept) APK files if you want to play around with them:

* Normal APK: https://www.androidpolice.com/wp-content/uploads/janus-poc/HelloWorld.apk.
* Janus-repacked APK: https://www.androidpolice.com/wp-content/uploads/janus-poc/HelloWorld-Janus.apk.

Special thanks to GuardSquare, Sander Bogaert, @VYSEa, and Eric Lafortune.

Tl;dr: @APKMirror is safe.
Photo
Shared publiclyView activity