Google’s December 2017 Android Security Bulletin contains a fix for a vulnerability that allows malicious actors to bypass app signatures and inject malicious code into Android apps. The vulnerability resides in the mechanism Android OS uses to read application signatures. Researchers discovered that they could inject a DEX file inside an APK and the Android OS would still think it’s reading the original APK file. This happens because the DEX insertion process does not alter the bytes Android checks for integrity. An Android update that patches phones against Janus is available for owners of Google smartphones.
Source: https://www.bleepingcomputer.com/news/security/android-vulnerability-lets-malware-bypass-app-signatures/