I was just reading about the Janus vulnerability (CVE-2017-13156) and there is one thing I cannot understand.
The vulnerability lies in the implementation of the installation of the APK and Signature Scheme v1 (JAR signature). It allows you to craft a mallicious APK file by prepending a mallicious DEX file to a legitimate APK. The mallicious DEX file is installed instead of the DEX file of the legitimate APK. The signature (if using v1 scheme) is not broken.
The writeup in the link above mentions the vulnerable versions of Android being 5.0 and newer (the CVE record mentions 5.1.1 to 8.0, but that's not the main problem now).
So my question is:
Why is 5.0 the lowest vulnerable version of Android? Does Android older than 5.0 use a different signature scheme? Or is there a difference in the way APKs are being installed on Android 5.0 and newer and Android lower than 5.0?
ART, the Android Runtime replaced the Dalvik VM since Android 5.0.
And obviously, an ART exploit does not apply to the Dalvik VM.