Android "Installer Hijacking" security leak found

In January 2014, we uncovered a Time-of-Check to Time-of-Use (TOCTTOU) vulnerability
in Android OS that permits an attacker to hijack the ordinary Android
APK installation process. This hijacking technique can be used to bypass
the user view and distribute malware with arbitrary permissions. It can
substitute one application with another, for instance if a user tries
to install a legitimate version of “Angry Birds” and ends up with a
Flashlight app that’s running malware. We are calling the technique that
exploits this vulnerability Android Installer Hijacking.
This only affects applications downloaded from third-party app stores.

The article links to a patch for Android 4.3 which may be applicable for Android 4.2 as well, or a starting point for building your own patch. It might be a good idea for the FairPhone devs to keep an eye on this.


Having said that, the security problem is probably a lot smaller than it looks like. First of all, you need to allow installation of APK’s from untrusted sources and actually do so and, more importantly, it appears like the phone needs to be infected with some sort of malware already to make the APK file switch/modification somehow.

In the meantime, and in order to avoid panic, the following (from the website linked to by @Jerry) should be noted:
"This only affects applications downloaded from third-party app stores."
So (as always), do not install apps unless you can verify their trustworthiness. And those of us who haven’t ticked the box “allow installation of apps from unknown sources” have no reason to worry about this specific vulnerability.

EDIT: Ooops, beaten with a few nanoseconds :slight_smile:


Is there a possibillity to let the phone know that F-Droid is not an unknown source?
And what does the option beneath Unknown Sources do? “Verify Apps” - it’s always greyed out on my phone, is it just for people who have the Play Store?


Don’t think so, which means that you’ll have to do updates manually and enable/disable every time. Or, since apk files don’t come flying at random, simply be careful about what links you click. I guess that you, when clicking on an apk link, always will be asked what you want to do with it (install or save).

I guess so. I’m on the dark side, and for me the option is activated.


There are multiple ways of doing that.
You could for example install the “/system/app-mover” from F-Droid and make F-Droid a system app (or do that by hand).
Afterwards, disable “Allow apps from unknown sources” and you should be all set.

Note: You’ll have to reinstall F-Droid (and make it a system app again, if you wish) after an Android update.


Thanks @haffenloher, I totally forgot about that option.

Actually i don’t think that helps because F-droid uses the normal Android APK installer for app installs, which is also the reason there is no automatic update for all apps, at least as far as i know.

Yup, that function is part of the Google Play Services and sadly not available on plain android …


Thanks @ben but it does work. I now use F-Droid as a system app and disabled unknown sources. Installing Apps works. :smiley:


Great news! It seems i was wrong.

A post was merged into an existing topic: :gb: :de: :fr: Interesting links / news articles somehow related to FP (collection)