The security researcher Zhi Xu from Palo Alto Networks discovered a critical vulnerability, dubbed Android Installer Hijacking, affecting the Android PackageInstaller system service. By exploiting the flaw, an attacker can gain unlimited permissions on compromised smartphone and data it manages, including user’s credentials and sensitive data.
“We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users.” reports a blog post from the company.
The expert explained that the vulnerability only affects mobile apps downloaded from third-party app stores, meanwhile applications published on Google Play official store are safe because use a sandboxing mechanism for file downloads.
According to Palo Alto Networks, nearly 49.5 percent of Android mobile devices are exposed to concrete risk of attacks exploiting the flaw.
Fortunately no attempts to exploit the Installer Hijacking vulnerability on user devices has been detected in the wild.
“We have successfully tested both exploits against Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x,” a Palo Alto researcher wrote. “According to Android Dashboard, this vulnerability affected approximately 89.4 percent of the Android population as of January 2014 (when we first discovered it), and approximately 49.5 percent of the Android population as of March 2015.” continues the post.
— Palo Alto Networks (@PaloAltoNtwks) 24 Marzo 2015
Basically the attackers can exploit the flaw in the following ways:
Below the attack chain summarized by Palo Alto Networks:
Zhi Xu explained that the PackageInstaller is affected by a ‘Time of Check’ to ‘Time of Use’ vulnerability that allows an attacker to modify the installation file during the app installation from unprotected local storage.
“In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.” is reported in the blog post.
Palo Alto Networks confirmed that it has worked with Google and principal Android device manufacturers (i.e. Samsung, Amazon) to patch the Installer Hijacking vulnerability, but some older-version Android devices may remain vulnerable.
Palo Alto Networks recommends uses to:
The Android Open Source Project includes patches for the Installer Hijacking vulnerability for Android 4.3 and later.
(Security Affairs – Android, Installer Hijacking vulnerability)