Up until recently, more than three-fourths of Android devices were vulnerable to “Android Installer Hijacking” attacks that could have compromised devices and given illegitimate apps access to sensitive data.
Palo Alto Networks coined the term and unveiled the vulnerability in a blog post released Tuesday, more than a year after initially discovering the bug and alerting Google and other Android manufacturers of its existence. Any attacks leveraging the bug rely on the fact that Android packages (APKs) downloaded through Google Play are installed to a protected space, whereas apps downloaded through a third-party store are saved to unprotected local storage.
To fall victim to an attack, a malicious application must be installed on a device. This app can come from either a legitimate or third-party app store and can function perfectly. However, written into the app is a code that allows it to detect when the compromised user is installing a new app, according to the post.
The malicious app will check whether the new app is being installed through a third-party store or Google Play, or, more simply, if it's being saved to a protected space or unprotected local storage, the post says.
If the app is going to be saved in an unprotected space, the malicious app begins taking action. At this point, it will overwrite the legitimate app with malware while a user views a permission page. More permissions could be provided than detailed in the permissions page, and the device becomes officially compromised.
The vulnerability affects Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x. Android Open Source Project issued patches for Android 4.3 and later, dropping the vulnerability rate to 50 percent, Ryan Olson, Unit 42 intelligence director, Palo Alto Networks, said in an interview with SCMagazine.com.
No exploits had been spotted in the wild previous to this blog posting, Olson said, but he recommended that users only download from legitimate app stores.
“Generally, our guidance to any enterprise deploying Android is to keep it as locked down as possible,” he said. “Don't allow sources other than Google Play to install apps on the phone.”
The company also released a vulnerability scanner app through Google Play that can determine whether a device is vulnerable.