Android users at risk of malware via installer hijacking vulnerability

Android users at risk of malware via installer hijacking vulnerability

Security researchers have warned about a widespread vulnerability in Android devices, that could see attackers sneakily modify or entirely replace seemingly benign apps with malware, without users becoming aware.

In other words, a user might attempt to install a legitimate version of “Angry Birds” but instead end up with a Flashlight app that’s harbouring malware.

Sign up to our free newsletter.
Security news, advice, and tips.

Every Android user is familiar with the screen that gets displayed during an app package’s installation, explaining the permissions that the app requests in order to run.

Android permissions

What wasn’t commonly known was that while a user is reviewing this information (the so-called “Time of Check”), an attacker can modify or replace the app’s package with their own malicious app, in readiness of the user to click the “Install” button.

Fortunately, apps downloaded from the official Google Play Store are not at risk as they are downloaded into a protected space which cannot be overwritten by attackers.

Palo Alto Research says that it first found the Time-of-Check to Time-of-Use (TOCTTOU) vulnerability, and how it could be exploited in so-called “installer hijacking” in January 2014, and has been co-operating with Google, Samsung, Amazon and other manufacturers ever since.

The vulnerability can be successfully exploited on Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x – which means that an alarming 49.5% of the Android devices currently in use are at risk.

That should obviously ring alarm bells – not just amongst home users, but also corporations which have BYOD policies allowing staff to access corporate data on Android devices and to bring their smartphones and tablets into the office.

Piling on the bad news, according to researchers the vulnerability does not rely upon Android devices being rooted (although this does make them more vulnerable) and it is possible that some phones may be running vulnerable distributions of Android 4.3 too.

So, what’s the answer?

The best solution is to stop using vulnerable versions of the Android OS on your devices. Upgrade to Android 4.4 and later, which have fixed the problem.

Of course, that’s easier said than done.

Even if you *want* to upgrade the OS on your Android device you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device’s manufacturer and your mobile phone carrier.

As history has often shown us, older Android devices are left stranded without an easy path for OS updates.

If upgrading your version of Android is not an option, you can reduce the risk by ensuring that apps are only ever downloaded from the official Google Play store rather than third-party sites.

Palo Alto Networks has released a free vulnerability scanner (available from the Google Play store, natch) that will hunt for the flaw on your Android device.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.