Package: diffoscope Version: 88 The Janus bug for Android works by making a valid APK file that is also a valid DEX file.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures Diffoscope sees these files as different file types, so there is no way to imspect the malware payload. Given this and the issues in file detection in #849782, there should be a way to force which kind of comparison that diffoscope does. Something like --force=apk would solve both. There are two example files attached.
HelloWorld.apk
Description: application/vnd.android.package-archive
HelloWorld-Janus.apk
Description: application/vnd.android.package-archive
signature.asc
Description: OpenPGP digital signature
