early half (49.5 percent) of all Android phones are still vulnerable to a security bug that allows attackers to modify or replace a seemingly benign app with malware without users’ knowledge, according to a blog post written by researchers at Palo Alto Networks. Despite the fact that the security researchers first discovered the flaw a year ago, some vendors’ distributions of Android 4.3 still contain the vulnerability.
The Palo Alto Networks research team that discovered the flaw has already alerted vendors about the vulnerability, including Google, Amazon and handset manufacturers like Samsung. When the exploit was first discovered in January 2014, more than 89 percent of Android devices were vulnerable to the attack. Android 4.4 has since been upgraded to fix the flaw.
Malware with Arbitrary Permissions
Nonetheless, many phones that continue to run older versions of Android remain at risk. The security researchers said they were able to successfully execute the attack, dubbed “Android installer hijacking,” on phones such as Samsung’s Galaxy S4. Palo Alto Networks’ researchers said that they have made an app available on the Google Play store that can scan a phone for the vulnerability. The team has also made the app open source and posted the code on a Github repository.
Enterprises concerned about the flaw can take several steps to mitigate their risk. Palo Alto Networks recommended that organizations withhold permission from apps seeking to access logcat, a system log that can be used to simplify and automate the exploit.
IT departments can further protect their systems by preventing employees from using rooted devices. Rooted devices give users full access to the entire operating system, enabling them to access special types of apps that require root permissions. Although the exploit does not require a rooted device to work, such devices are more vulnerable.
The exploit is based on a vulnerability in the Android OS that permits an attacker to hijack the normal Android APK (Android application package) installation process. The technique can be used to bypass the user view and distribute malware with arbitrary permissions. The exploit allows a malicious application to gain full access to a compromised device, including usernames, passwords and other sensitive data.
App Developers Beware
There are several ways an attacker can use the vulnerability. For example, a victim can be fooled into installing a false application that appears to be legitimate, since the app does not require any unusual permissions and can come from any app store. The app can then detect when a user downloads a second app from a third-party app store, and overwrite it with malware while the user is viewing the permissions screen.
In another case, the first app can promote a second app as an advertisement within itself. When the user tries to download the second app, the first app can likewise modify the second app while the user is viewing the package installer activity.
App developers should also be wary of the exploit. Apps and mobile ad libraries that do not rely on the Google Play store are likely to save promoted apps in unprotected storage that could allow attackers to replace them with malware.
Source – http://www.cio-today.com/article/index.php?story_id=132004JXT2R0