March 26, 2015 at 09:50Android discovered a dangerous vulnerability
Palo Alto Networks announced the discovery of a dangerous vulnerability in the component of the application installer ( PackageInstaller ) Android version <5. This vulnerability is similar to the Masque vulnerability for iOS, which we wrote about here , and allows you to install one application on top of another, and this new application will gain access to all the data of the previous one. It is about installing applications from a third-party application store, and not from Google Play, because, only in this scenario, attackers can take advantage of the vulnerability.
According to Palo Alto Networks estimates, the vulnerability covers 49.5% of all devices that are running Android. The exploit itself was successfully tested on the following versions of Android: 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x. Vulnerable are some firmware with versions of Android 4.3. For Android 4.4, this vulnerability has already been fixed.
In the above versions of Android, the PackageInstaller application installer component contains a vulnerability of the type Time of check to time of use . Relatively speaking, the vulnerability allows, without user demand, to overwrite one .APK file to another during the installation of the application, or rather, during the verification of user access rights requested by the application (the so-called PackageInstallerActivity screen) Attackers can exploit the vulnerability only if the user uses a third-party application store, because in this case, .APK files are not downloaded to a protected place in the file system (protected storage), as is the case with Google Play, but to another place (for example, / sdcard /).
A special scanner was placed on Google Play to detect this vulnerability on the device.
According to Palo Alto Networks estimates, the vulnerability covers 49.5% of all devices that are running Android. The exploit itself was successfully tested on the following versions of Android: 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x. Vulnerable are some firmware with versions of Android 4.3. For Android 4.4, this vulnerability has already been fixed.
In the above versions of Android, the PackageInstaller application installer component contains a vulnerability of the type Time of check to time of use . Relatively speaking, the vulnerability allows, without user demand, to overwrite one .APK file to another during the installation of the application, or rather, during the verification of user access rights requested by the application (the so-called PackageInstallerActivity screen) Attackers can exploit the vulnerability only if the user uses a third-party application store, because in this case, .APK files are not downloaded to a protected place in the file system (protected storage), as is the case with Google Play, but to another place (for example, / sdcard /).
A special scanner was placed on Google Play to detect this vulnerability on the device.