Android Users at Risk from Newly Discovered Security Flaw

Leading enterprise security organisation Palo Alto Networks today revealed details of a widespread vulnerability in Google's Android mobile operating system, which allows attackers to seize control over the installation of a seemingly safe Android application, Android Package File (APK), and replace it with an app of the attacker's choice, without the knowledge of the user.

Exploitation of this security weakness, which is estimated to affect almost 50% of current Android device users, allows attackers to potentially distribute malware, compromise devices and steal user data.

Palo Alto Networks has also today released an application in response to this threat, to help potentially affected Android users diagnose their devices.

The vulnerability was discovered by Palo Alto Networks Unit 42 threat researcher Zhi Xu, and it reportedly exploits a flaw in Android's ‘PackageInstaller’ system service, allowing attackers to silently gain unlimited permissions in compromised devices.

During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location.

The security weakness also allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user's device, including personal information and passwords. While users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware.

Unit 42, the Palo Alto Networks threat intelligence team, has worked with Google and Android device manufacturers such as Samsung and Amazon in an attempt to protect users and patch this vulnerability in affected versions of Android. However, some older versions of Android devices may remain vulnerable.

The vulnerability disclosed today affects Android applications downloaded from third-party sources, and it is important to note that it does not affect applications accessed from Google Play. Palo Alto Networks has highlighted the following recommended steps for enterprises concerned about the risk of malware through Android devices:

  • On vulnerable devices, only install software applications from Google Play; these files are downloaded into a protected space, which cannot be overwritten by the attacker.
  • Deploy mobile devices with Android 4.3_r0.9 and later, but keep in mind that some Android 4.3 devices are found to be vulnerable.
  • Do not provide apps with permission to access logcat. Logcat is a system log, which can be used to simplify and automate the exploit. Android 4.1 and later versions of Android by default forbid apps from accessing logcat of system and other installed apps. But an installed app could still manage to get access to other apps' logcat on rooted mobile devices using Android 4.1 or later.
  • Do not allow enterprise users to use rooted devices with enterprise networks.

"This Android vulnerability means users who think they're accessing legitimate applications with approved permissions may instead be exposed to data theft and malware. We urge users to take advantage of the diagnostic application provided by Palo Alto Networks to check their devices, and we thank Google, Samsung and Amazon for their cooperation and attention," said Ryan Olson, Intelligence Director, Unit 42, Palo Alto Networks.