Security researchers at Palo Alto Networks claim to have found a vulnerability in Android versions ranging from v2.3 (Gingerbread) to v4.3_r0.9 (Jelly Bean) that allows attackers to gain full access to compromised devices. The bug pertains to the fact that in vulnerable versions of Android there are no checks at the time of installation of whether an app's permissions actually match those advertised to the user during installation. The vulnerability only affects apps installed from third-party app stores.
Palo Alto Networks says the vulnerability, which it is calling Android Installer Hijacking, is of the 'Time-of-Check to Time-of-Use (TOCTTOU)' type, and allows attackers to mask the permissions of an app being installed between the check page (which lists the permissions) and the actual installation of the apk file.
Essentially, the system service PackageInstaller on affected devices does not verify the apk file at the time of installation, only prior to displaying the permissions - this means the app installed can have different permissions from what are shown. This could allow access to user data including passwords.
The firm says as of Google's March 2015 Android distribution numbers, affected devices account for roughly 49.5 percent of active Android devices. Palo Alto Networks adds that back in January 2014 when it discovered the vulnerability, which it is calling Android Installer Hijacking, the security flaw affected 89.4 percent of active Android devices.
No comments:
Post a Comment