Experts at Palo Alto Networks discovered the Installer Hijacking vulnerability that exposes half of Android users to attack via Installation Vulnerability.

The security researcher Zhi Xu from Palo Alto Networks discovered a critical vulnerability, dubbed Android Installer Hijacking, affecting the Android PackageInstaller system service. By exploiting the flaw, an attacker can gain unlimited permissions on compromised smartphone and data it manages, including user’s credentials and sensitive data.

“We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users.” reports a blog post from the company.

The expert explained that the vulnerability only affects mobile apps downloaded from third-party app stores, meanwhile applications published on Google Play official store are safe because use a sandboxing mechanism for file downloads.

According to Palo Alto Networks, nearly 49.5 percent of Android mobile devices are exposed to concrete risk of attacks exploiting the flaw.

Fortunately no attempts to exploit the Installer Hijacking vulnerability on user devices has been detected in the wild.

 “We have successfully tested both exploits against Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x,” a Palo Alto researcher wrote. “According to Android Dashboard, this vulnerability affected approximately 89.4 percent of the Android population as of January 2014 (when we first discovered it), and approximately 49.5 percent of the Android population as of March 2015.”  continues the post.

Unit 42 discovery: #Android Installer Hijacking vulnerability exposes Android devices to data theft and #malware http://t.co/vCM4Ivdfx5

— Palo Alto Networks (@PaloAltoNtwks) 24 Marzo 2015

Basically the attackers can exploit the flaw in the following ways:

  • Using an apparently harmless mobile app with benign-looking permissions to download a separate in a second moment a malicious app.
  • By tricking a user into downloading a malicious app containing a seemingly benign set of permissions.

The company has released a vulnerability scanner app in the Google Play store which it has open sourced on Github.

Below the attack chain summarized by Palo Alto Networks:

  • During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location.
  • This vulnerability allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user’s device, including personal information and passwords.
  • While users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware.

Zhi Xu explained that the PackageInstaller is affected by a ‘Time of Check’ to ‘Time of Use’ vulnerability that allows an attacker to modify the installation file during the app installation from unprotected local storage.

“In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.” is reported in the blog post

Palo Alto Networks confirmed that it has worked with Google and principal Android device manufacturers (i.e. Samsung, Amazon) to patch the Installer Hijacking vulnerability, but some older-version Android devices may remain vulnerable.

Palo Alto Networks recommends uses to:

  • Download mobile application only from Google Play on vulnerable devices.
  • Update mobile devices to Android 4.3_r0.9 and later versions. Unfortunately, some Android 4.3 devices are found to be vulnerable.
  • Do not provide apps with permission to access logcat.

The Android Open Source Project includes patches for the Installer Hijacking vulnerability for Android 4.3 and later.

Pierluigi Paganini