Patched Android flaw left third-party apps vulnerable to hijacking

A vulnerability in the Android PackageInstaller system allowed attackers to hijack the installation process of a seemingly safe third-party Android app and replace it with one infected with malware.


Researchers with Palo Alto Networks' Unit 42 threat team revealed details of a now-resolved vulnerability within Google's Android mobile operating system.

The vulnerability exploited a flaw in the Android PackageInstaller system service that allowed attackers to hijack the installation process of a seemingly safe third-party Android application and replace it with a malware-infected app of the attacker's choosing.

For instance, if an Android device owner attempted to install a legitimate version of Angry Birds, an attacker could take over and install a Flashlight app that's running malware. This would allow the attacker to gain full access to potentially sensitive user data such as usernames and passwords.

Palo Alto Networks' threat intelligence team says it worked with Google and Android device manufacturers, such as Samsung and Amazon, to patch the vulnerability in affected versions of Android.

"This Android vulnerability means users who think they're accessing legitimate applications with approved permissions may instead be exposed to data theft and malware," said Ryan Olson, intelligence director of Unit 42, in a statement. "We thank Google, Samsung and Amazon for their cooperation and attention."

According to Google, the Android Security Team did not detect any attempts to exploit the vulnerability on user devices, adding that Android versions 4.3 and later include patches for the issue. However, Palo Alto Networks warns that some older-version Android devices may remain vulnerable.

It's worth noting the lengthy timeline between discovery of the vulnerability to today's point of public disclosure. The initial discovery by Palo Alto Networks was more than a year ago, in January 2014. In February 2014, the vulnerability was reported to the Google Android Security Team. In March 2014 Samsung was notified of the vulnerability, but Amazon wasn't notified for another six months after that, until September.

The missing piece in the timeline is exactly when the vulnerability was patched in relation to when it was first reported to Google.