A researcher at Palo Alto Networks has discovered a frightening Android vulnerability that could allow hackers to steal data from unknowing users. Even scarier, it could affect nearly half of all current Android users.
Called the “Android installer hijacking vulnerability,” the bug reportedly allows attackers to surreptitiously download apps to Android users without them knowing.
Here’s how it works:
- When an Android user installs an app, they are always directed to a permissions screen ensuring the user know what sort of requirements the app has.
- This vulnerability, however, indicates that if a user downloads an app from a third-party app store or an app promotion (that is, not Google Play), Android doesn’t make sure that the app being presented to the user in the permissions page is the actual app being downloaded.
- This means that an attacker can “modify or replace the package in the background.” That is, hackers can secretly change the files that you think you’re downloading for other, more malicious ones. Think of it as an app bait and switch.
There are two ways for attacker to capitalise on this vulnerability. One, they can present to consumers a normal-looking app and then, once approved by the user, swap it for a piece of malware. Or, attackers can flat-out lie about the permissions the app requires, meaning app can look benign but actually gain all sorts of access to private phone data.
The fact that so many users are at risk highlights a real problem with Android. In short, Android operating systems are disturbingly fragmented. While the company has been working to fix its operating system fragmentation problem, more than half of the devices on the market use versions that are as many as three versions behind the latest. The most recent update, dubbed Lollipop, was released in November of 2014 and only 3.3% of all Android users currently run it.
Compare that with Apple, which claimed last fall that 94% of all iPhone users use a version of iOS that was released in the past year. With so many Android users spanning so many versions, it’s difficult for Google to issue a clean fix to problems like these.
The Android installer hijacking vulnerability applies to Android 4.3 devices. It was first discovered in January of 2014 and the researchers informed Google, Samsung, and Amazon (all of which provide operating systems to which the vulnerability applies). Now, more than a year later, all of the vendors have installed patches to fix it, but earlier versions of Android are still at risk.
According to the most recent numbers, that represents 49.5% of the Android devices on the market.
The most obvious fix for Android users would be to update their software. If they are unable to do that, users should only download apps through Google Play, as those files are unable to be overwritten by attackers.
So if you’re running an older version of Android, you better make sure you know what you’re downloading.