Around half of Android smartphones are vulnerable to a new hack that may allow attackers to modify or replace apps with malicious ones that steal passwords and other sensitive data.
Android installer hijacking bug
The “Android installer hijacking” vulnerability, as it has been called by researchers from Palo Alto Networks, works when apps are being downloaded from third-party app stores, or when a user clicks on an app advertisement hosted by a mobile advertisement library.
RELATED: How secure is Android?
Here’s the summary from Palo Alto Networks:
We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking” estimated to impact more than 49% percent of all current Android users.
- Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores
- The malicious application can gain full access to a compromised device, including usernames, passwords, and sensitive data
- Palo Alto Networks worked with Google and major manufacturers such as Samsung and Amazon to inform them of the vulnerability and issue patches for their devices
How does it work?
The attack is based on what is know as a time-of-check to time-of-use vulnerability. The affected devices fail to check that the app being installed at the time of use was the one the user approved during the time of check, which occurs when a user approves app permissions like network access or access to contacts. The bug involves the way the system app called PackageInstaller installed Android app files called APKs.
“A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background,” Palo Alto Networks researcher Zhi Xu wrote in a blog post on Tuesday.
“Verified with Android OS source code posted in AOSP [Android Open Source Project], it shows that the PackageInstaller on affected versions does not verify the APK file at the ‘time of use.’ Thus, in the “time of use’ (i.e., after clicking the ‘install button), the PackageInstaller can actually install a different app with an entirely different set of permissions.”
One example of how it can be exploited is by an attacker using a fairly benign looking app to install malware in future. Another scenario uses the same weakness in order to mask the true permissions that an app needs. In each case, users can end up installing apps that are completely different to the ones they approved during the permission process.
Patched, but some Android 4.3 devices still vulnerable
Apparently, the vulnerability has already been patched in Android 4.3 release 0.9 and later, but Xu has warned that some Android 4.3 devices are still susceptible. Google estimates that accounts for 49.9% of handsets that the company monitors.
People using vulnerable devices should steer clear of third-party app stores and use Google Play as their sole source of apps.
SOURCE: Palo Alto Networks