Almost Half Of Android Devices Are At Malware Risk Due To A Security Flaw
Palo Alto Networks has discovered that almost half of Android devices are vulnerable to an attack by malicious software that targets the sensitive data of the user. Zhi Xu, a senior engineer at Palo Alto, revealed that the malicious application (known as “Android Installer Hijacking”) will have complete access to the device and can hijack critical information, such as the usernames, passwords and much more.
The software is said to affect only those applications that are installed from 3rd party app stores.
How does it work?
The apps that are installed from the 3rd party store generally have their APK installation files in the device’s unprotected local storage. Then, a system application, called PackageInstaller, completes the installation. This allows the APK file to be modified or even get replaced without being detected.
This is how it happens
When a user downloads an application (that seems every bit like a legitimate application), it asks for certain permissions on the device. When permissions are granted, the hijack tampers with the APK file and the PackageInstaller does not verify nor does it detect. But when the install button is clicked, the malware can actually install a different app that has a different set of permissions altogether. Also, it is noted that the android devices, irrespective of being rooted or not, get attacked. Rooted devices are more vulnerable.
While Google, Samsung and Amazon have already released patches, 49.5% of devices still remain vulnerable. Palo Alto has come up with an Android app that detects the malware.
The Palo Alto’s fix works against versions of 2.3, 4.0.3 to 4.0.4.x and 4.2.x. The 4.4 version fixes the issue, while devices on 4.3 could still be affected since a few manufacturers have released the patches yet.
What should the enterprises do?
- If you’re on a vulnerable version, download applications from Google Play only as they are downloaded on a protected space and cannot be overwritten by attacks.
- Deploying devices with 4.3_r0.9, however, be informed that this version may also be vulnerable.
- Do not grant permission to access the logcat. The logcat is a system log that can be used to simplify and automate the exploit.
- The versions of 4.1 and higher, by default, do not allow access to the logcat and other existing apps. However, an installed app could get access to the logcat of other apps in case of rooted devices on 4.1 and above.
- Prohibit using of rooted devices on enterprise network.