Nearly half of all Android systems, 49.5 percent to be exact, contain a vulnerability through which an attacker could hijack the application installation process in order to install malware on impacted mobile devices.
The security firm Palo Alto Networks says it discovered a Time-of-Check to Time-of-Use vulnerability in Google’s Android operating system last year. Today’s research is their disclosure: an attack — dubbed Android installer hijacking – which exploits that bug, giving an attacker the ability to wrest control of application package files (APKs) while they install.
“We have successfully tested both exploits against Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x,” a Palo Alto researcher wrote. “According to Android Dashboard, this vulnerability affected approximately 89.4 percent of the Android population as of January 2014 (when we first discovered it), and approximately 49.5 percent of the Android population as of March 2015.”
— Palo Alto Networks (@PaloAltoNtwks) March 24, 2015
Certain carrier-based installations of Android version 4.3 are not performing proper checks and may be vulnerable as well. Android versions 4.4 and above are not affected.
Potential attackers can exploit this bug in a pair of ways. They can either use a benign-looking app with benign-looking permissions to download a separate malicious app in the future, or they can simply compel a user to download an outright malicious app containing a seemingly benign set of permissions.
APKs are the file format used to install software onto the Android operating system. Therefore, the person or thing manipulating the APK can install arbitrary or malicious code onto vulnerable devices out of view of the user.
It’s important to note that this exploit is only possible on third party application market places. The reason for this, according to Zhi Xu of Palo Alto Networks, is that the official Google Play store downloads APKs into a protected space, whereas third party markets download APKs to unprotected local storage from where they are installed directly. Third party applications cannot access the Play Store’s protected space.
From storage, Android uses PackageInstaller to continue the installation. Once installation begins in earnest, the package being installed shows up in a user interface called the PackageInstallerActivity. Also known as the “time of check,” this is where the user can confirm the download and check its requested permissions. However, in this case the time of check vulnerability makes it so the attacker can manipulate the information shown on the PackageInstallerActivity page. In other words, the attacker can make it seem as if the user is downloading one app, when in actuality they are downloading another app altogether.
Palo Alto Networks says it worked on a patch for the problem with Google, the developer of Android, Samsung, the largest manufacturer of Android devices, and Amazon, the maintainer of a popular alternative application marketplace. Google is encouraging users to update to the most current version of 4.3, while Amazon is encouraging users to update their Amazon AppStore installation, which should occur automatically.
Palo Alto Networks discovered the vulnerability in January 2014, reported it to the Android security team in February 2014, Samsung in March 2014 and Amazon in September 2014.