The Android app ecosystem is not known for its security. Anyone can publish any nefarious app disguised as a fun game or useful utility. You need to be extremely careful when downloading apps from the Google Play store, and you should probably avoid third party stores altogether, at least for a while. Here’s an example:
Roughly half of all Android handsets are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.
The “Android installer hijacking” vulnerability, as it has been dubbed by researchers from Palo Alto Networks, works only when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library. Technically, it’s based on what’s known as a Time-of-check to time-of-use vulnerability. Affected devices fail to verify that the app being installed at the time of use was the one the end user approved during the time of check, which occurs when a user approves app permissions such as network access or access to the contacts database. The bug involves the way the system application called PackageInstaller installs app files known as APKs.
“A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background,” Palo Alto Networks researcher Zhi Xu wrote in a blog post published Tuesday. “Verified with Android OS source code posted in AOSP [Android Open Source Project], it shows that the PackageInstaller on affected versions does not verify the APK file at the ‘time of use.’ Thus, in the “time of use’ (i.e., after clicking the ‘install button), the PackageInstaller can actually install a different app with an entirely different set of permissions.”
One scenario for exploiting the vulnerability involves an attacker using a benign-looking app to install malware in the future. A second scenario uses the same weakness to mask the true permissions an app requires. In both cases, targeted users can end up installing apps that are vastly different from the ones they approved during the permissions process.
The vulnerability has been patched in Android version 4.3_r0.9 and later, but Xu warned that some Android 4.3 devices remain vulnerable. By Google estimates, that accounts for 49.9 percent of the handsets the company monitors. Palo Alto Networks has released a scanner app that will indicate if a given device is vulnerable. People using vulnerable devices should steer clear of third-party app stores and use Google Play as their sole source of apps.
This is a big deal, but not a surprise. Security vulnerabilities exist in all complex code. And in general the older the code, the more vulnerabilities there are. The major problems are:
- Most android users will not hear this news
- Most users do not upgrade android, especially when they need to. It is not automatic, they must consciously seek to upgrade
- Upgrading the OS on many phones is not supported by the carriers, so those users are completely hosed
What to do if you are an Android user:
- Check your OS version. Go to Settings->About Phone. If you have 4.3 or older, try to upgrade…
- Upgrade your Android OS:
- Backup your device for safety
- Go to Settings->About Phone->System Updates
- Check Now
- If your carrier does not allow upgrades, the only way to be safe is to not enter any website passwords on your phone if you’ve loaded 3rd party apps, especially from outside the Google Play store. Unless you are 100% certain every one of those apps are valid and authored by reputable companies. I realize that can be debilitating. A much better solution would be to get a new phone that does allow upgrades – there are certainly more security issues besides this one.