Half of all Android devices vulnerable to installer hijacking attacks

A critical Android vulnerability that has been discovered over a year ago and responsibly disclosed to Google and other Android manufacturers can be exploited by attackers to trick users into downloading malicious apps from third-party stores.

Dubbed “Android Installer Hijacking” vulnerability, the flaw currently affects half of all Android users. When it was first discovered, it was present in nearly 90 percent of all Android installations.

The flaw, which allows attackers to change or replace a seemingly benign Android application with malware during installation – and without user knowledge – can be exploited to compromise the target device fully, and harvest any information and sensitive data found on it.

“Android supports the ability to install apps from the Google Play store as well as from the local file system. Google Play downloads Android packages (APKs) to a protected space of the file system. Third party app stores and mobile advertisement libraries usually download APK files to unprotected local storage (e.g. /sdcard/) and install the APK files directly,” Palo Alto Networks researcher Zhi Xu explained.

“Both methods use a system application called PackageInstaller to complete the installation. On affected platforms, we discovered that the PackageInstaller has a ‘Time of Check”‘ to “‘Time of Use’ vulnerability. In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.”

There are several ways in which this vulnerability can be exploited, but the good news is that the the Android Security Team has not detected any attempts to exploit this vulnerability on user devices.

Devices with Android version 4.3 may contain this vulnerability (it depends on the vendor). Devices with Android version 4.2 and earlier all have this vulnerability.
Android version 4.4 and later versions have fixed this flaw, so users are advised to update to one of these versions (if possible).

If you want to check whether your device is affected, you can use Palo Alto Networks’ free vulnerability scanner app.

“Android app developers are also affected, because app-store apps and mobile ads libraries that do not rely on Google Play store would be likely to save the promoted apps in unprotected storage, e.g. /sdcard,” the researcher noted.