The company that loves to out vulnerabilities in others, can't seem to keep its own platform secure.
It's no secret that Android remains one of the more tenuous platforms that IT has to deal with today. Android phones are cheap, making them a palatable offering for a lot of consumers that decide it's critical to connect their personal devices to the corporate network.
According to Palo Alto Networks, a newly exposed flaw, called "Android Installer Hijacking," leaves devices with Android versions earlier than 4.4 exposed to a hacker's hijacking trick that causes an untrusted app to install with device rights of another app.
Fortunately, this vulnerability has only been found to affect apps that are downloaded from a third-party source and not from Google Play, Google's app store. Palo Alto Networks makes the following recommendations to help mitigate the issue:
-
Only install apps from Google Play.
-
Deploy the latest version of Android (if possible).
-
Do not allow app permissions to logcat, which is the system log.
-
Eliminate devices that have been rooted. The exploit doesn't require a device to be rooted, but it does make them more vulnerable.
Additionally, Palo Alto Networks has released a tool to the Google Play store that can be used to identify vulnerable devices. It can be downloaded from here: Installer Hijacking Scanner
The unfortunate thing is that this flaw exposes millions of handsets (almost 46%) and it has the potential to steal usernames, passwords, and more. Google has been notified about the malicious software, along with other major Android adopters including Samsung and Amazon. The flaw was discovered in January 2014, fed to Google in February 2014, reported to Samsung in March 2014, notification sent to Amazon in September 2014, and publicly disclosed in March 2015.
Vulnerable versions include Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x and some 4.3.
