Connect with us

Hi, what are you looking for?


Malware & Threats

Android Installer Hijacking Vulnerability Puts Users of Third-party App Stores at Risk

Palo Alto Networks today shared details of a security vulnerability in the Android operating system that could allow an attacker to hijack the installation of a what appears to be a legitimate Android application and modify or replace it with malware.

Palo Alto Networks today shared details of a security vulnerability in the Android operating system that could allow an attacker to hijack the installation of a what appears to be a legitimate Android application and modify or replace it with malware.

The network security firm said an estimated 49.5 percent of current Android users are impacted by the flaw, which if exploited, could potentially give attackers full access to a compromised device, including usernames, passwords, and sensitive data.

Fortunately, the risk for most typical Android users is low, as the vulnerability only affects applications downloaded from third-party app stores, not the official Google Play store, which downloads files into a protected space and cannot be overwritten by an attacker.

Discovered by Palo Alto Networks researcher Zhi Xu, the vulnerability exploits a flaw in Android’s “PackageInstaller” system service, allowing attackers to silently gain unlimited permissions in compromised devices, the company said.

Android Hijacking VulnerabilityPalo Alto Networks summarized the flaw as follows:

• During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location.

• This vulnerability allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user’s device, including personal information and passwords.

• While users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware.

Advertisement. Scroll to continue reading.

“On affected platforms, we discovered that the PackageInstaller has a ‘Time of Check’ to ‘Time of Use’ vulnerability,” the company explained in a blog post. “In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.”

Palo Alto Networks said it has worked with Google and Android device manufacturers including Samsung and Amazon to help protect users and patch the vulnerability in affected versions of Android, however, some older-version Android devices may remain vulnerable.

Palo Alto Networks recommends the following for enterprises concerned about the risk of malware through Android devices:

• On vulnerable devices, only install software applications from Google Play; these files are downloaded into a protected space, which cannot be overwritten by the attacker.

• Deploy mobile devices with Android 4.3_r0.9 and later, but keep in mind that some Android 4.3 devices are found to be vulnerable.

• Do not provide apps with permission to access logcat. Logcat is a system log, which can be used to simplify and automate the exploit. Android 4.1 and later versions of Android by default forbid apps from accessing logcat of system and other installed apps. But an installed app could still manage to get access to other apps’ logcat on rooted mobile devices using Android 4.1 or later.

• Do not allow enterprise users to use rooted devices with enterprise networks.

According to Google, the Android Open Source Project includes patches for the vulnerability for Android 4.3 and later, which can be found here

According to Google’s Android Security Team, no attempts to exploit the vulnerability on user devices has been detected.

Palo Alto Networks also released a vulnerability scanner app in the Google Play store which it has open sourced on Github.

Ryan Olson, Unit 42 Intelligence Director at Palo Alto Networks, told SecurityWeek that no CVE has been assigned for the flaw, as Google did not request one.

Additional technical details and information are available in the blog post from Palo Alto Networks. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.