Installer Hijacking affects almost half of Android devices

Android has a reputation for having a more open platform and ecosystem than, say, iOS, but, sadly, it is probably also notorious for sometimes being too open to malware as well. Of course, like any other software, it has its own fair share of vulnerabilities, but given its popularity and reach, sometimes those can be quite frightening. Take for example this "Android Installer Hijacking" technique that hails back from 2014, which could install malware on a user's Android device, naturally without the user being aware of it.

The vulnerability is what security firm Palo Alto Networks terms as "TOCTTOU", short for "Time-of-Check to Time-of-Use". In a nutshell, malware takes advantage of the gap of time during an app installation process to inject its evilness into the device. When an Android APK (an app package) gets installed, particularly from third-party stores or downloaded packages, the Android platform first verifies the content of the app (Time-to-Check) and then asks for the user's permission before it goes to actually install the app (Time-to-Use). During this period in between these two checkpoints, like while the user is reading the information, malicious software could either rewrite the app being installed or swap places with legitimate-looking app. The system would then proceed to install the wrong app and none would be the wiser.

As scary as it may sound, there are a few factors that mitigate this technique's use. First, it only affects apps that are installed via APKs, particularly those that install the app from an unprotected portion of the file system, which is the case for third party app stores. Installing from Google Play Store, which is always the recommended method, remains safe. Second, it only affects devices running Android versions older than Android 4.3. As of 2014, that amounted to 89.4 percent of the Android distribution charts. Although it has dwindled down to 49.5 percent by March this year, that is still almost half the number of devices in the wild.

More current versions of Android include a new hash security check that addresses this issue. The fix was introduced in Android 4.3_r0.9 but, sadly, not all devices running Android 4.3 actually incorporate that. The researchers have found, for example, the Samsung Galaxy S4 and Amazon Fire OS to still be vulnerable to hijacking.

The good news is that Palo Alto Networks has already informed app vendors, who have released fixes for their stores. Google, of course, patched up Android already and recommends installing only from Google Play Store anyway. Amazon advises Fire device owners to update to the latest Fire OS version and those using the standalone Android app to likewise get the fixed package. Those installing from other sources, especially those running older versions of Android, are, unfortunately, pretty much left to their own, though with some help from tools like Palo Alto Networks'.

(source SlashGear)