Installer hijack vulnerability threatens almost half of all Android devices

A widespread security bug has been discovered by Palo Alto Networks which affects almost 50% of all devices running Android OS. The vulnerability allows an application installation to be hijacked and the installation contents modified, without authorization, after the review/verification process. The greatest threat is while installing content from 3rd party stores (apart from the Google Play store) in which the installation files are downloaded to an insecure location (unprotected SD card storage).

Package Installer vulnerability allows unauthorized modification of installation files

When an android application is selected for installation, an apk installer file is downloaded. This may be obtained from the official Google Play store, other third party stores or websites. When the application is downloaded from the play store, it is stored in a secure system location. However, when other sources are used, the files are downloaded to an SD card or other ordinary, unprotected storage locations. In both cases a system program called PackageInstaller is used to extract the files and install the application. As one would expect, the file to be installed is first verified for safety and compatibility before installation. The user is also prompted to review and decide whether or not to provide the requested privileges to the app. This part of the process is known as “time to check” where the user checks the app details and permissions. The issue here is that, the application can be modified or entirely replaced in the background, during this “time to check” period, without notifying the user.

What are you really installing?

Due to this vulnerability the downloaded application may be completely different from the one reviewed and selected by the user. This means a user trying to install a legitimate application like “Angry Birds” may end up installing a completely different malicious/adware application. Deceit is the favorite weapon of cyber criminals and loopholes like this can be exploited to infect millions of devices with malware. Users with a good mobile security app like Emsisoft Mobile Security need not worry as any malicious application will be blocked from installation.

Several teams of security researchers including Samsung Knox team, Google Android Security team, and Amazon Web Services & Lab126 are working with Palo Alto Networks to patch this vulnerability. It is expected that a fix will arrive soon.

Have a nice (deceit-free) day!