Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The Installer Hijacking vulnerability exposes 1 of 2 Android users to attack

Experts at Palo Alto Networks discovered the Installer Hijacking vulnerability that exposes half of Android users to attack via Installation Vulnerability. The security researcher Zhi Xu from Palo Alto Networks discovered a critical vulnerability, dubbed Android Installer Hijacking, affecting the Android PackageInstaller system service. By exploiting the flaw, an attacker can gain unlimited permissions on compromised smartphone and data […]

The Installer Hijacking vulnerability exposes 1 of 2 Android users to attack

Experts at Palo Alto Networks discovered the Installer Hijacking vulnerability that exposes half of Android users to attack via Installation Vulnerability.

The security researcher Zhi Xu from Palo Alto Networks discovered a critical vulnerability, dubbed Android Installer Hijacking, affecting the Android PackageInstaller system service. By exploiting the flaw, an attacker can gain unlimited permissions on compromised smartphone and data it manages, including user’s credentials and sensitive data.

“We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users.” reports a blog post from the company.

The expert explained that the vulnerability only affects mobile apps downloaded from third-party app stores, meanwhile applications published on Google Play official store are safe because use a sandboxing mechanism for file downloads.

According to Palo Alto Networks, nearly 49.5 percent of Android mobile devices are exposed to concrete risk of attacks exploiting the flaw.

Installer Hijacking vulnerability Android 2

Fortunately no attempts to exploit the Installer Hijacking vulnerability on user devices has been detected in the wild.

 “We have successfully tested both exploits against Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x,” a Palo Alto researcher wrote. “According to Android Dashboard, this vulnerability affected approximately 89.4 percent of the Android population as of January 2014 (when we first discovered it), and approximately 49.5 percent of the Android population as of March 2015.”  continues the post.

Basically the attackers can exploit the flaw in the following ways:

  • Using an apparently harmless mobile app with benign-looking permissions to download a separate in a second moment a malicious app.
  • By tricking a user into downloading a malicious app containing a seemingly benign set of permissions.

The company has released a vulnerability scanner app in the Google Play store which it has open sourced on Github.

Below the attack chain summarized by Palo Alto Networks:

  • During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location.
  • This vulnerability allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user’s device, including personal information and passwords.
  • While users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware.

Zhi Xu explained that the PackageInstaller is affected by a ‘Time of Check’ to ‘Time of Use’ vulnerability that allows an attacker to modify the installation file during the app installation from unprotected local storage.

“In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.” is reported in the blog post

Palo Alto Networks confirmed that it has worked with Google and principal Android device manufacturers (i.e. Samsung, Amazon) to patch the Installer Hijacking vulnerability, but some older-version Android devices may remain vulnerable.

Palo Alto Networks recommends uses to:

  • Download mobile application only from Google Play on vulnerable devices.
  • Update mobile devices to Android 4.3_r0.9 and later versions. Unfortunately, some Android 4.3 devices are found to be vulnerable.
  • Do not provide apps with permission to access logcat.

The Android Open Source Project includes patches for the Installer Hijacking vulnerability for Android 4.3 and later.

Pierluigi Paganini

(Security Affairs –  Android,   Installer Hijacking vulnerability)