Applications that inspect vulnerabilities that passwords are stolen by about half of existing Android terminals and check for vulnerabilities also appeared

ByCarlos Varela

A vulnerability that may have installed a harmless application, but the possibility that the installation process would be hijacked while the user was not aware of it and that could eventually be replaced with an application infected with malware was added to Android's "PackageInstaller" system It was discovered. Attackers can also steal information such as user's name and password used. This vulnerability will affect 49.5% of all Android users.

Android Installer Hijacking Vulnerability Could Expose Android Users to Malware - Palo Alto Networks BlogPalo Alto Networks Blog
http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/

This vulnerability was reported by the network security vendor in January 2014Palo Alto NetworksDiscovered and later cooperated with Google, Samsung, Amazon, etc. to restore the problem.

By using this vulnerability discovered on Android's "PackageInstaller" system, it is possible to rewrite an application that the user installed without problems into another application. For example, if the user downloads the regular version of the game application "Angri Bird"When trying to install, an attacker takes over that process and installs another application infected with malware. This will allow an attacker full access to personal information, such as user name and password.

Normally, the APK file that the user downloaded from Google Play is stored in the protected space of the file system, whereas in the case of a third party application the APK file is saved to unprotected storage like / sdcard / It will be. These processes are executed by the PackageInstaller system, but this time we found a time-of-check to time-of-use (TOCTTOU) vulnerability in this PackageInstaller system.

When downloading the APK file, PackageInstaller examines the file, examines the name and icon of the application, what kind of security permission is requested, and so on. This is called "Time to Check", and the user can see what kind of information is contained in the application on the screen "PackageInstallerActivity". With the following image on that screen, you can see all the information by pressing "Next" and tap "Install" to continue the installation process.


An attacker can rewrite or replace files behind the scenes when vulnerabilities exist in this process and the user is just watching the information of the application. And vulnerable PackageInstaller will eventually install another app that asks for completely different security permissions. Please note that the above actions may only be carried out when downloading an application from a third party app store, according to Google 's Android security team, the vulnerability currently present in user' s equipment The attempt to exploit sex has not been confirmed.

Palo Alto Networks reported that "There are patches in Android 4.3 and beyond, so there are no problems," but Palo Alto Networks said "Some versions 4.3 have vulnerabilities" I warn you. It is said that the vulnerability has been fixed in Android 4.4 and later version.

You can check if your Android device is vulnerable from the following applications released by Palo Alto Networks, and if it is vulnerable, it temporarily protects the data. It is an open source application, code etcIt is possible to check with GitHub.

Installer Hijacking Scanner - Android application on Google Play
https://play.google.com/store/apps/details?id=com.paloaltonetworks.ctd.ihscanner