Android Installer Hijacking Flaw Puts Millions At Risk

Android Installer Hijacking Flaw Puts Millions At Risk

Security researchers at Palo Alto Networks has identified a severe flaw in android devices that allows an attacker to modify or replace a seemingly innocent Android app with malware, without user knowledge. Companies have released patches for their devices, but 49.5 percent of Android users are still vulnerable.

Attacks can exploit the 'Android Installer Hijacking' flaw to gain full access to a compromised device, including usernames, passwords, and sensitive data.

Researchers found the vulnerability in January 2014 and publicly disclosed it in 24 March 2015.
Zhi Xu, senior staff engineer at Palo Alto Networks said, "This hijacking technique can be used to bypass the user view and distribute malware with arbitrary permissions. It can substitute one application with another, for instance if a user tries to install a legitimate version of “Angry Birds” and ends up with a Flashlight app that’s running malware. We are calling the technique that exploits this vulnerability Android Installer Hijacking."


Time to Check

In the vulnerable devices, while the user is at "Time to Check" (see above image), the attacker can modify or replace the package in the background. Thus, in the "Time of Use" (after clicking the "Install" button), the PackageInstaller can actually install a different app with an entirely different set of permissions.

Palo Alto's exploits were successful against Android versions 2.3, 4.0.3 to 4.0.4, 4.1.x, and 4.2.x. "Be aware that some phone vendors’ Android 4.3 distributions may contain this vulnerability as well," Xu wrote.

Amazon recommends it's users to download the latest version of the Amazon AppStore, which will update its Fire devices. You can also get the patch from Google here.

No comments

Powered by Blogger.