Palo Alto Networks has revealed details of a widespread vulnerability in Google’s Android mobile operating system that allows attackers to hijack the installation of a seemingly safe application – Android Package File (APK) – on user devices, replacing it with an app of the attacker’s choice.
Discovered by Palo Alto Unit 42 threat researcher Zhi Xu, the vulnerability exploits a flaw in Android’s “PackageInstaller” system service, allowing attackers to silently gain unlimited permissions in compromised devices.
During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location.
This vulnerability allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user’s device, including personal information and passwords.
For instance, while users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware.
Saeed Agha, General Manager Middle East, Palo Alto Networks shared ahead of the release: “Exploitation of this vulnerability, which is estimated to affect about 49.5 percent of current Android device users, allows attackers to potentially distribute malware, compromise devices and steal user data.”
Palo Alto also released an application to help potentially affected Android users diagnose their devices.
Unit 42, the Palo Alto threat intelligence team, has worked with Google and Android device manufacturers to help protect users and patch this vulnerability in affected versions of Android. Some older-version Android devices may remain vulnerable.
“This Android vulnerability means users who think they’re accessing legitimate applications with approved permissions may instead be exposed to data theft and malware,” said Ryan Olson, Intelligence Director, Unit 42, Palo Alto Networks. “We urge users to take advantage of the diagnostic application provided by Palo Alto Networks to check their devices, and we thank Google, Samsung and Amazon for their cooperation and attention.”
Palo Alto recommends only installing software applications from Google Play on vulnerable devices; these files are downloaded into a protected space, which cannot be overwritten by the attacker.