Androids Vulnerable Hijacking Attacks

Thursday, March 26, 2015 @ 03:03 PM gHale

Attackers can exploit an Android vulnerability discovered a year ago to trick users into downloading malicious apps from third-party stores, researchers said.

The “Android Installer Hijacking” vulnerability affects half of all Android users. When first discovered, the flaw was in nearly 90 percent of all Android installations, said researchers at Palo Alto Networks.

Rise in Android App Issues
Android, iOS Apps Vulnerable to FREAK
Google Android OS Holes
Malware Attack Targets Android

The flaw allows attackers to change or replace a seemingly benign Android application with malware during installation, and without user knowledge. It can end up exploited to compromise the target device fully, and harvest any information and sensitive data found on it.

“Android supports the ability to install apps from the Google Play store as well as from the local file system. Google Play downloads Android packages (APKs) to a protected space of the file system. Third party app stores and mobile advertisement libraries usually download APK files to unprotected local storage (e.g. /sdcard/) and install the APK files directly,” said Palo Alto Networks researcher Zhi Xu.

“Both methods use a system application called PackageInstaller to complete the installation. On affected platforms, we discovered that the PackageInstaller has a ‘Time of Check’ to ‘Time of Use’ vulnerability. In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.”

There are several ways in which this vulnerability can end up exploited, but the good news is the Android Security Team has not detected any attempts to exploit this vulnerability on user devices.

Devices with Android version 4.3 may contain this vulnerability (it depends on the vendor). Devices with Android version 4.2 and earlier all have this vulnerability.

Android version 4.4 and later versions fixed this flaw, so users should update to one of these versions (if possible).

Leave a Reply

You must be logged in to post a comment.