Android Installer Vulnerability Affecting 49.5 Percent of Devices: Report

Advertisement
By NDTV Correspondent | Updated: 26 March 2015 14:05 IST
Android Installer Vulnerability Affecting 49.5 Percent of Devices: Report

Security researchers at Palo Alto Networks claim to have found a vulnerability in Android versions ranging from v2.3 (Gingerbread) to v4.3_r0.9 (Jelly Bean) that allows attackers to gain full access to compromised devices. The bug pertains to the fact that in vulnerable versions of Android there are no checks at the time of installation of whether an app's permissions actually match those advertised to the user during installation. The vulnerability only affects apps installed from third-party app stores.

Palo Alto Networks says the vulnerability, which it is calling Android Installer Hijacking, is of the 'Time-of-Check to Time-of-Use (TOCTTOU)' type, and allows attackers to mask the permissions of an app being installed between the check page (which lists the permissions) and the actual installation of the apk file.

Essentially, the system service PackageInstaller on affected devices does not verify the apk file at the time of installation, only prior to displaying the permissions - this means the app installed can have different permissions from what are shown. This could allow access to user data including passwords.

The firm says as of Google's March 2015 Android distribution numbers, affected devices account for roughly 49.5 percent of active Android devices. Palo Alto Networks adds that back in January 2014 when it discovered the vulnerability, which it is calling Android Installer Hijacking, the security flaw affected 89.4 percent of active Android devices.

In February last year however, Palo Alto Networks says it informed Google's Android Security Team, and then informed Samsung in March, and Amazon (the vulnerability includes devices accessing Amazon Appstore for Android) in September, so that patches could be issued.

A quote by the Google team on the security firm's blog post says, "Android Open Source Project includes patches for this issue for Android 4.3 and later," and adds that the Team "has not detected any attempts to exploit this vulnerability on user devices."

Advertisement

Amazon on the other hand recommends users should download the latest version of the Amazon Appstore for Android, which it says gets "updated automatically on Fire devices and for 3rd party Android devices it can be updated via www.amazon.com/getappstore."

Palo Alto Networks itself has released an app to the Google Play store that allows users to check if their devices are affected by the Android Installer Hijacking vulnerability. It adds that Samsung and Amazon have released fixes for their affected devices, which included those running on Fire OS.

Affiliate links may be automatically generated - see our ethics statement for details.
 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. New Inelastic Dark Matter Model Could Bypass Current Limits of Particle Detection
  2. Gold Defies Physics: Remains Solid at 14x Its Melting Point in Superheating Experiment
  1. Gold Defies Physics: Remains Solid at 14x Its Melting Point in Superheating Experiment
  2. New Inelastic Dark Matter Model Could Bypass Current Limits of Particle Detection
  3. Massive 200-Light-Year Cloud May Be Channeling Matter to the Milky Way's Core
  4. Supergiant Star Wd1-9 Investigated: Know Everything about New Findings and Insights from Supergiant Star
  5. Australia’s First Orbital Rocket Eris Fails at Historic Launch
  6. Battle of Culiacan: Heirs of the Carte Now Streaming on JioHotstar
  7. New World Record Alert: Weather Satellite Records Longest Lightning Flash of 515 Miles
  8. New Rogue Planet Discovered in Hubble Data Using Einstein’s Gravity Theory
  9. Brightest Gamma-Ray Burst Ever Observed Reveals Cosmic Secrets
  10. Microsoft Reaches $4 Trillion Valuation After Solid Results
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.