Android mobile users who download their apps from the Google Play Store have full confidence the items they get are legit and free from backdoor attacks, especially that Google recently formed a review team to vet apps. But a new method of attack, though unseen in real-world setting, could turn your legit app into a malware that a security researcher says could put half of Android devices worldwide in jeopardy.
Zhi Xu, a senior engineer at Palo Alto Networks, discovered the potential of the attack based on a hypothetical study that shows legit Google Play apps can create an entry point into an Android device for another app coming from third party app stores. This app from a third party source can then grant enable the legit Google Play app to have access to a vast array of data, including usernames, passwords, and other sensitive data.
Based on the findings of Xu, this method of attack can help attackers to alter apps in a stealthy manner, free from detection of the phone’s owner. It is called a silent hijacking technique, through which a hacker can replace the real app you are downloading from Google Play with another app that probably contains a malware.
The providers of app store services such as Google and Amazon are already finding a fix to the vulnerability. Users, meanwhile, can do something about it. Security experts recommend that they update to the new versions of the Android operating system such as Android 4.4 and higher to parry the problem once and for all.
According to Xu, the PackageInstaller used to install Android apps in devices is what causes the problem. The installer contains a sort of vulnerability, called time-of-Check to Time-of-Use, which a hijacker can use to substitute legit apps with malicious ones because PackageInstaller on older versions of Android does not authenticate the APK file at the time of use.
Luckily, though, the attack works only when an app is downloaded and saved to an unprotected space, in this case in file systems beyond the perimeter of Google Play. So the hijacker’s technique is evident now, first they would try to install what appears to be a safe app and then launch a malicious app once they detect apps installed from third party sources. This happens during the installation process, a very subtle way of circumventing any form of detection method on the part of the user, who would haphazardly just give permission when asked.
So if you are still using Android 4.1 or lower, upgrade to the latest version if possible to avoid this kind of attack.