Security researchers from mobile security firm GuardSquare have discovered a vulnerability called Janus that enables hackers to avoid app signatures and inject malware into Android apps.
The flaw (tracked as CVE-2017-13156) enables attackers to change the code in applications without affecting their signatures. The main issue is that the modified file can be a valid APK file and a valid DEX file at the same time.
According to the researchers:
The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries).
The Janus flaw affects only applications signed with the app signature scheme v1, but applications signed with the signature scheme v2 are not affected.
The flaw only affects devices running Android 5.0 and later. An Android update that patches devices against Janus vulnerability is available for holders of Google smartphones. The rest of the Android pleb is at the mercy of mobile carriers.
Users are recommended to install apps and updates only from Google Play Store.