Android "Installer Hijacking" security leak found

Jerry · March 24, 2015, 3:02pm

In January 2014, we uncovered a Time-of-Check to Time-of-Use (TOCTTOU) vulnerability
in Android OS that permits an attacker to hijack the ordinary Android
APK installation process. This hijacking technique can be used to bypass
the user view and distribute malware with arbitrary permissions. It can
substitute one application with another, for instance if a user tries
to install a legitimate version of “Angry Birds” and ends up with a
Flashlight app that’s running malware. We are calling the technique that
exploits this vulnerability Android Installer Hijacking.
[…]
This only affects applications downloaded from third-party app stores.

http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/

The article links to a patch for Android 4.3 which may be applicable for Android 4.2 as well, or a starting point for building your own patch. It might be a good idea for the FairPhone devs to keep an eye on this.

Jerry · March 24, 2015, 3:11pm

Having said that, the security problem is probably a lot smaller than it looks like. First of all, you need to allow installation of APK’s from untrusted sources and actually do so and, more importantly, it appears like the phone needs to be infected with some sort of malware already to make the APK file switch/modification somehow.

kgha · March 24, 2015, 3:12pm

In the meantime, and in order to avoid panic, the following (from the website linked to by @Jerry) should be noted:
"This only affects applications downloaded from third-party app stores."
So (as always), do not install apps unless you can verify their trustworthiness. And those of us who haven’t ticked the box “allow installation of apps from unknown sources” have no reason to worry about this specific vulnerability.

EDIT: Ooops, beaten with a few nanoseconds

paulakreuzer · March 24, 2015, 7:02pm

Is there a possibillity to let the phone know that F-Droid is not an unknown source?
And what does the option beneath Unknown Sources do? “Verify Apps” - it’s always greyed out on my phone, is it just for people who have the Play Store?

kgha · March 24, 2015, 7:13pm

Don’t think so, which means that you’ll have to do updates manually and enable/disable every time. Or, since apk files don’t come flying at random, simply be careful about what links you click. I guess that you, when clicking on an apk link, always will be asked what you want to do with it (install or save).

I guess so. I’m on the dark side, and for me the option is activated.

anon41421263 · April 24, 2015, 11:13pm

There are multiple ways of doing that.
You could for example install the “/system/app-mover” from F-Droid and make F-Droid a system app (or do that by hand).
Afterwards, disable “Allow apps from unknown sources” and you should be all set.

Note: You’ll have to reinstall F-Droid (and make it a system app again, if you wish) after an Android update.

paulakreuzer · April 25, 2015, 4:11am

Thanks @haffenloher, I totally forgot about that option.

ben · April 25, 2015, 10:58am

Actually i don’t think that helps because F-droid uses the normal Android APK installer for app installs, which is also the reason there is no automatic update for all apps, at least as far as i know.

Yup, that function is part of the Google Play Services and sadly not available on plain android …

paulakreuzer · April 25, 2015, 3:49pm

Thanks @ben but it does work. I now use F-Droid as a system app and disabled unknown sources. Installing Apps works.

ben · April 25, 2015, 6:48pm

Great news! It seems i was wrong.

paulakreuzer · February 16, 2017, 11:49am

A post was merged into an existing topic: Interesting links / news articles somehow related to FP (collection)