This is a simple script that scans an APK and an Android device for being vulnerable of CVE-2017–13156.
A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the signatures. (i.e. modify the code in applications without affecting their signatures.)
This can be exploited due to the problem, that a Android Package file can be a valid APK file and a valid DEX file at the same time.
You can read more about this vulnerability in this detailed medium article.
A brief summary of what Janus vulnerability is:
- applications that are signed only with v1 when installed on devices having android version (5.0–8.0) are vulnerable
- applications that are signed with v1 and also v2, v3 or both when installed on devices having android version (5.0–7.0) are vulnerable
Make sure you have python installed in your system (for instance v2.7 should work) along with pip and then type
pip install -r requirements.txt
python janus.py path/to/file.apk(Optional)
To scan your device, please install ADB tools, allow USB-Debugging for your device, and re-run the script while the device is plugged-in to your computed (https://www.xda-developers.com/install-adb-windows-macos-linux/).
