Report: Nearly 50% Of Android Devices Are Vulnerable To Silent Attack

Threat researcher Zhi Xu is reporting a widespread vulnerability in Google's Android operating system that is capable of exposing up to 49.5% of users to spyware, via a two-front alliance formed between apps downloaded from Google Play and from legitimate third-party app stores such as Amazon and Samsung.

Given the not-very-creative name "Android Installer Hijacking", the vulnerability reported by Xu — who is a senior engineer at Palo Alto Networks — allows potential attackers to modify or replace seemingly benign Android apps with malware without the user's knowledge. In the event scenario, the attack begins with an innocent-seeming app downloaded from Google Play first becoming entrenched. Once in place, the in-truth-nefarious Google Play app monitors the user's system for apps being installed from third-party stores, and once it detects such an install it could replace that app with a malicious version during the installation process as users review such permissions as SMS messages access, GPS location, Wi-Fi connection, and so on.


The third-party app in this context would then supply the Google Play app with the information and access it needs to compromise the device and steal sensitive information, such as usernames and passwords.

Xu says, "This hijacking technique can…substitute one application with another, for instance if a user tries to install a legitimate version of Angry Birds and ends up with a flashlight app that’s running malware."

An attack launched via Android Installer Hijacking can only affect devices running Android 4.1 and older, though users are advised to upgrade to at least Android 4.4 to circumvent potential infection. To date, no actual attacks have been detected outside of the laboratory, though with over one billion users worldwide the vulnerability has the potential to affect roughly 500 million Android users.

Android Installer Hijacking affects both device users and Android app developers. For users the danger is simple enough, the result being the installation of malicious apps that are not actually the ones they intend to install that can then wreak their havoc on the user device. And developers are affected because app-store apps and mobile ads libraries that do not rely on the Google Play store would be likely to save the promoted apps in unprotected storage.

According to The Register, Google, Amazon, and Samsung are among the organization working to mitigate the issue.