A new study has lead to the discovery of a widespread vulnerability in Google’s Android OS popularly termed as “Android Installer Hijacking”. This is estimated to impact 49.5 percent of all the current Android users. This new hijacking lets an attacker to modify or customize an Android app with malware, and it affects only the users and apps downloaded from third-party app stores.The affected apps gain full access to the device using it. These affected apps can access usernames, passwords, and sensitive data. Palo Alto Networks worked with Google and other major manufacturers on vulnerability and issue patches.
How was it discovered?
In January 2014, a new vulnerability related to times was discovered in Android OS that allows the attacker to hijack ordinary Android APK installation process. User view can be bypassed, and malware can be distributed by this hijacking technique. Applications can be substituted. For example, “Subway Surfers” can be replaced by “Flashlight”.
Most of the Android apps are downloaded via Google Play Store while some unauthorized apps are downloaded using third-party apps. Google Play downloads Android packages(APK) and stores it in a protected space on the drive or the system. Third party APKs are stored in the unprotected local storage and can be installed directly unlike Google Play’s APKs. On affected areas, “Package installer” that is used to install both Google APKs and third-party APKS has “Time to check” and “Time to use” vulnerability. This resulted in APK being modified and replaced during installation without user’s knowledge. Protected storage remains safe, and the unprotected storages are at a high risk.
The latest vulnerability can be exploited in many different ways – Externally modifying APK and Self-Modifying APK. This vulnerability damages both the device and the app developers. Many confusions may arise while you download apps. Rooted devices are more vulnerable in this case. Android 4.3 versions are rumored to be affected by this vulnerability. Android 4.4 and later versions have fixed this vulnerability along with Amazon and Samsung.
This news was reported earlier by Paloalto Networks Research.