Hearing that an Android device is vulnerable to attack is certainly nothing new by this point. Year over year since its release we’ve been bombarded with news and stories about how Android is leaving mobile phones vulnerable to one deviant exploit or another, but now a new discovery from Palo Alto Networks may officially trump anything else that’s come before.
Affecting upwards of half of all Android devices currently active on the network, the new crack can turn legitimate apps against the user in snap, diverting a normally innocuous piece of code into more malicious waters.
First unearthed by researcher Zhi Xu, the team behind the find has cautioned users that this hack can take on the form of many of their favorite applications, even if they don’t know it yet.
“The malicious application can gain full access to a compromised device, including usernames, passwords, and sensitive data,” XU says in an advisory.
“This hijacking technique can … substitute one application with another, for instance if a user tries to install a legitimate version of Angry Birds and ends up with a flashlight app that’s running malware.”
Called PackageInstaller, the app makes its way through programs from the Google Play store onto a customer’s device through a backdoor that Palo Alto refused to elaborate on, but were clear about the dire nature of the situation.
There are a few mobiles, specifically the Samsung Galaxy S4 and Amazon Fire, that are immune to the mix up, but other than that nearly every other device populating the Android ecosystem is equally open and waiting for a targeted attack.
“… PackageInstaller on affected versions does not verify the APK (Android app) file at the Time of Use [meaning] the PackageInstaller can actually install a different app with an entirely different set of permissions,” Xu says.
In order to mitigate any damage, users of the Android operating system should upgrade their phones or tablets to at least version 4.4 KitKat or higher, as all others underneath this number are left open to the problem until Google can roll out a patch that’s effective enough to blanket all the variants still left out in the cold.
The attack itself seems to be centered around the transition that programs make whenever downloaded through Amazon and then installed on a phone or mobile device of the user’s choosing.
When purchased separately, the communication boundaries break down and a system running the OS can be fooled into downloading and authenticating a malicious package for permissions far outside what it would normally be granted.
Thankfully, the exploit looks to only exist in the realm of speculation at this point, and the researchers say they haven’t been able to detect any deployments in real world scenarios just yet.
Google, Samsung, Amazon, and other top handset manufacturers are said to be scrambling to fix the problem in a hurry, all of which should debut a patch to their respective customers as news about this massive malware mix up spreads over the next several days and weeks.