Researchers have discovered a widespread vulnerability – estimated to impact 50 percent of all current Android users – capable of replacing legitimate applications with information-stealing malware.
Known as “Android Installer Hijacking,” the critical vulnerability could allow an attacker to gain full access of the compromised device, and collect sensitive data, including usernames and passwords.
Palo Alto Networks senior staff engineer Zhi Xu explained how the attack could be carried out in a blog post on Tuesday:
“Android supports the ability to install apps from the Google Play store, as well as from the local file system. Google Play downloads Android packages (APKs) to a protected space of the file system. Third party app stores and mobile advertisement libraries usually download APK files to unprotected local storage (e.g. /sdcard/) and install the APK files directly. Both methods use a system application called PackageInstaller to complete the installation.”
Xu and his team found that on affected platforms, the PackageInstaller contains a “Time of Check” to “Time of Use” vulnerability.
“In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge.”
According to Xu, the Installer Hijacking flaw affects APK files downloaded to unprotected local storage, since the protected space of the Google Play store cannot be accessed by other installed applications.
The researchers were able to exploit the vulnerability using several methods, such as externally modifying the APK to install a benign-looking app loaded with malware, or masking the app permissions.
“We have successfully tested both exploits against Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x.,” said Xu.
Some Android 4.3 versions may also be affected, depending on the phone vendor.
The group of researchers stated they have been cooperating with Google and other major manufacturers, including Samsung and Amazon, to patch the affected Android devices.
Additionally, the team published a free vulnerability scanner app available on the Google Plays store that can identify affected devices.