Online security agency Palo Alto Networks has said it had discovered a “widespread vulnerability in Google’s Android OS”, which is estimated to impact almost 50% of current Android users.
Writing on the official blog, senior security engineer Zhi Xu has said they had dubbed the vulnerability as “Android Installer Hijacking.”
Android Installer Hijacking, he explained, allowed an attacker to modify or replace a seemingly benign Android app with malware without the knowledge of the user. This only affected applications downloaded from 3rd-party app stores, he added. The malicious application could gain full access to a compromised device, including usernames, passwords, & sensitive data.
Palo Alto Networks said he had worked with Google & major manufacturers such as Samsung & Amazon to inform them of the vulnerability, & issue patches for their devices.
The vulnerability can be exploited in multiple ways, wrote Xu:
Method A: Externally modifying the APK
- The attacker can use a benign-looking app to install malware in the future. This method has several stages:
- Victim installs “App X” which appears legitimate.
- At a later date, the victim installs a perfectly legitimate app store (e.g. Amazon’s App Store app) which then allows the user to install APK files from local file system.
- Whenever the user attempts to install apps from this app store a PackageInstallerActivity view will been launched.
- The user sees an app from the legitimate 3rd party app store and attempts to install it. We will call this download “App Y”.
The app from step 1, “App X” detects that PackageInstallerActivity view has been launched, & checks if the APK file of “App Y” is on an unprotected file system. If the app is being installed from a public file system (e.g., on /sdcard), then “App X” can overwrite the “App Y” with malware while the user is reviewing the permissions screen. After clicking “Install”, PackageInstaller will install the compromised “App Y” APK with the malware. Arbitrary code is now installed on the device, with any permissions that the attacker needs.
Method B: Self modifying the APK
This exploit can take advantage of the same vulnerability to mask what permissions the app really requires:
- Victim installs “App X” which appears legitimate.
- When the user is using “App X”, it promotes a legitimate “App Y” (e.g. a popular game app) to the user for installation.
- If the user installs the app, the PackageInstallerActivity view will start.
As discussed above, the essential information of “App Y” will be shown in the PackageInstallerActivity view. The “App Y” does not appear to ask for anything out of the ordinary. In fact, the “App Y” may not ask for any permission at all.
When the user is viewing the PackageInstallerActivity, “App X” rewrites the APK file of “App Y” with malware.
When the user clicks “Install”, the modified version of “App Y” will be installed, ignoring the actual permissions requested. The app actually installed may not be related or similar to App Y in any way.
This vulnerability,claimed Palo Alto Networks, affected Android device users as well as Android app developers. For the former, the users may end up with installing apps that are not the ones they agree to install. Android app developers are also affected, because app-store apps and mobile ads libraries that do not rely on Google Play store would be likely to save the promoted apps in unprotected storage, e.g. /sdcard.
Palo Alto Networks says it has published a vulnerability scanner app in the Google Play store. And also recorded a tutorial video about how to check the existence of installer hijacking vulnerability with its vulnerability scanner app, available here.
For more on this, click here.
Share This
