Android users at risk of malware via installer hijacking vulnerability

Graham Cluley

Security researchers have warned about a widespread vulnerability in Android devices, that could see attackers sneakily modify or entirely replace seemingly benign apps with malware, without users becoming aware.

In other words, a user might attempt to install a legitimate version of “Angry Birds” but instead end up with a Flashlight app that’s harbouring malware.

Every Android user is familiar with the screen that gets displayed during an app package’s installation, explaining the permissions that the app requests in order to run.

Android permissions

What wasn’t commonly known was that while a user is reviewing this information (the so-called “Time of Check”), an attacker can modify or replace the app’s package with their own malicious app, in readiness of the user to click the “Install” button.

Fortunately, apps downloaded from the official Google Play Store are not at risk as they are downloaded into a protected space which cannot be overwritten by attackers.

Palo Alto Research says that it first found the Time-of-Check to Time-of-Use (TOCTTOU) vulnerability, and how it could be exploited in so-called “installer hijacking” in January 2014, and has been co-operating with Google, Samsung, Amazon and other manufacturers ever since.

The vulnerability can be successfully exploited on Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x – which means that an alarming 49.5% of the Android devices currently in use are at risk.

That should obviously ring alarm bells – not just amongst home users, but also corporations which have BYOD policies allowing staff to access corporate data on Android devices and to bring their smartphones and tablets into the office.

Piling on the bad news, according to researchers the vulnerability does not rely upon Android devices being rooted (although this does make them more vulnerable) and it is possible that some phones may be running vulnerable distributions of Android 4.3 too.

So, what’s the answer?

The best solution is to stop using vulnerable versions of the Android OS on your devices. Upgrade to Android 4.4 and later, which have fixed the problem.

Of course, that’s easier said than done.

Even if you *want* to upgrade the OS on your Android device you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device’s manufacturer and your mobile phone carrier.

As history has often shown us, older Android devices are left stranded without an easy path for OS updates.

If upgrading your version of Android is not an option, you can reduce the risk by ensuring that apps are only ever downloaded from the official Google Play store rather than third-party sites.

Palo Alto Networks has released a free vulnerability scanner (available from the Google Play store, natch) that will hunt for the flaw on your Android device.

This article originally appeared on the Optimal Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES