A vulnerability in Google's Android OS has been discovered that could allow an attacker to change or replace a seemingly safe Android application with malware during installation. An attacker exploiting this vulnerability could access and steal user data on compromised devices without user knowledge. Devices running Android version 4.4 or later are not vulnerable.
Android provides the mechanism to install apps from the Google Play store as well as from the local file system. Google Play downloads Android packages (APKs) file to a protected space of the file system. Third party app stores and mobile advertisement libraries usually download APK files to unprotected storage (e.g. /sdcard/) and install the APK files directly. In both cases Android uses a system application called PackageInstaller..
On affected platforms, the PackageInstaller has a “Time of Check” to “Time of Use” vulnerability. This means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.
A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background. Verified that the PackageInstaller on affected versions does not verify the APK file at the “Time of Use”. Thus, in the “Time of Use” (i.e., after clicking the “Install” button), the PackageInstaller can actually install a different app with an entirely different set of permissions.
There are at least 2 proven method of the exploitation of the vulnerability – self modifying APK and externally modified APK.
Enterprises concerned about the risk should take the following steps:
- Only install software from Google Play in affected devices. These files are downloaded into a protected space, which cannot be overwritten by the attacker.
- Deploy mobile devices with Android 4.3_r0.9 and later, but keep in mind that we have found that there are some vulnerable Android 4.3 devices.
- Do not provide apps with permission to access logcat. Logcat is a system log, which can be used to simplify and automate the exploit. Android 4.1 and later by default forbid apps from accessing logcat of system and other installed app. But an installed app could still manage to get access to other apps’ logcat on rooted mobile devices with Android 4.1 and later.
- Do not allow users to use rooted devices.
App developers concerned about the risk should save the downloaded APK files to protected storage space only.
Digital Edge Suggestion:
Please talk to us about deploying enterprise solution to secure and manage your mobile users, unlock your workforce productivity and better engage your customers. Digital Edge offers complete platform, spanning mobile device management, mobile application management, secure email and browsing and secure content and collaboration gives you a powerful platform to accelerate your next generation mobile strategy.
Please feel free to contact us for any additional information.