In January 2014, we uncovered a Time-of-Check to Time-of-Use (TOCTTOU) vulnerability
in Android OS that permits an attacker to hijack the ordinary Android
APK installation process. This hijacking technique can be used to bypass
the user view and distribute malware with arbitrary permissions. It can
substitute one application with another, for instance if a user tries
to install a legitimate version of “Angry Birds” and ends up with a
Flashlight app that’s running malware. We are calling the technique that
exploits this vulnerability Android Installer Hijacking.
This only affects applications downloaded from third-party app stores.
The article links to a patch for Android 4.3 which may be applicable for Android 4.2 as well, or a starting point for building your own patch. It might be a good idea for the FairPhone devs to keep an eye on this.