Modern field guide to security and privacy

Android security flaw puts millions of users at risk

A vulnerability dubbed Android Installer Hijacking could expose users to malicious software designed to steal passwords and usernames from smartphones and tablets.

|
Palo Alto Networks
A view of the permissions screen during an Android app installation. The new bug could render the permissions process moot.

A newly discovered vulnerability in the Android operating system could expose hundreds of millions of smartphone and tablet users to malicious software, according to research from a cybersecurity firm.

Palo Alto Networks said Tuesday that it uncovered a vulnerability that could give attackers control over a mobile device and access to data, usernames, and passwords via seemingly benign applications downloaded from third-party stores such as the Amazon Appstore. Apps downloaded from the Google Play store are not affected.

The potential harm of the bug that security company has named "Android Installer Hijacking" is vast: more than 1 billion people worldwide are active Android users. Palo Alto Networks said it informed Google of the problem a year ago, and worked with Google, Amazon, and Samsung, which also has a popular Android app store, to release patches. So far, however, there does not appear to be any known evidence that hackers have exploited the bug to attack mobile phones and tablets.

Android Installer Hijacking works by tampering with the installation process, allowing an attacker to install any program in place of the app a user thinks they are installing. This could mean one app is replaced with a completely different app or, worse, a seemingly harmless app is replaced with a more malicious version of itself. The vulnerability does this by circumventing the permissions process, which allows users to limit how apps interact with the phone.

Android is designed so that an app alerts users during installation if it intends to use the microphone, tracks the mobile device's location, place calls, or uses other core features of their devices. But hijacked phones might install one program while offering the alerts for another app's function. 

"The danger is that this vulnerability allows all privileges to be installed regardless of what permissions users were told about," said Ryan Olson, director of Palo Alto Networks' Unit 42 Intelligence Lab, the company's research division.

Users are still able to view permissions after the installation. 

Android versions earlier than 4.4 can be affected. Though Google patched the 4.3 version, Palo Alto Networks found a number of smartphones shipped without the patch installed. Palo Alto Networks has developed a free app so that Android users can check if their phones are at risk. 

Traditionally, the chief security concern with Android (as opposed to the Apple smartphone operating system) has come from Google Play's minimal app screening process. In the past, Google Play did not screen apps for malicious software the way that Apple's App Store has. Recently, Google announced it would start doing just that.

In the past, however Android has seen other vulnerabilities allow one app to masquerade as another: In 2014, the security firm Bluebox discovered a way to spoof security certificate verifying apps on Android. 

Google did not respond to a request for comment. 

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Android security flaw puts millions of users at risk
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0324/Android-security-flaw-puts-millions-of-users-at-risk
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe