Android KitKat and above are not impacted

Mar 25, 2015 14:10 GMT  ·  By

Android devices that add content from unofficial app stores are exposed to malicious software, but security researchers found that almost half of them are susceptible to having the installation process of a legitimate app hijacked, ending up with a nefarious app instead.

The trouble stems from a vulnerability discovered in Google’s operating system that allows the hijack procedure to happen without users’ notice.

Only apps from unofficial stores can be changed

Leveraging the glitch, which is a Time-of-Check to Time-of-Use (TOCTTOU), an attacker could gain full control of the device and access sensitive data such as usernames and passwords.

The researchers at Palo Alto Networks call this swapping technique Android Installer Hijacking and have alerted major manufacturers, as well as Google, in view of releasing a fix.

Completing the installation of an app relies on a system application called PackageInstaller, which is used when adding any app, be it from Google Play or from a third-party store.

However, the installers from an unofficial Android repository are downloaded and run from the SD card, an area that does not benefit from the same isolation as those funneled in from the Play store, which are shielded from access by other components.

APK may be switched when permission list is displayed

The hijacking can occur when the user checks the list of permissions and other details about the app and approves the installation process; this stage is called “Time to Check,” as it retrieves the explicit consent from the user to continue the procedure to reach the “Time to Use” phase, when the software product can actually be employed.

“A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background,” security researcher Zhi Xu said in a blog post on Tuesday.

He adds that PackageInstaller on the affected Android versions does not check if the same APK is used during the installation from start to finish.

It appears that some 4.3 (Jelly Bean) and lower Android versions are impacted, tests being successful on devices from Amazon and Samsung; the two companies have released patches to mitigate the risk.

Xu said that the vulnerability was disclosed to the affected parties in January 2014, when 89.4% of the devices were susceptible. With the availability of new versions (4.4 and up) of the OS that included a fix, the risk decreased to about 49.5% in March 2015.

Users who want to test if their device is affected can run Palo Alto Networks’ scanner released yesterday in Play Store.