Quick heads-up on a vulnerability you might learn about soon. The folks at Palo Alto stumbled across a major security vulnerability within Android that could allow malicious apps to hijack an app install. Before you freak out and hook your phone up to a chemo machine to rid it of any impurities, stop — there’s almost nothing to be worried about here:
- Google has already patched it ahead of this report being released
- The initial bug was reported to Google as early as January 2014. We suspect Google kept it under wraps this long to make sure no-gooders wouldn’t try to target exposed devices
- The vulnerability only affects sideloaded apps or apps downloaded from third-party app stores
- It only affected Android versions prior to 4.4
- For devices not on 4.4 or higher, Palo Alto worked with top manufacturers like Samsung to patch this fix in with their most recent software updates. Amazon also updated their Appstore to patch the vulnerability
So what does it do? According to them, since a side-loaded APK is installed from an unprotected source such as an SD card, an app could hijack the process of installing the app by Android’s package installer. It’d do this by replacing the legit APK with one that would most likely contain some sort of malware and other nasty stuff, and it would all happen without the user even knowing.
The dirty (but full) details can be found in the report published here, but the reality is that most folks with a phone made within the past couple of years are probably safe. Still, if you’re the oddball who still as a Nexus One on Android 2.3 and might be using a third-party app store over Google Play, you’ll be glad you know about it.
Palo Alto made a neat app that will check your phone to see if it is vulnerable. If it’s not, you’re good to go. If it is? Well, you should definitely try to download a ROM based on at least Android 4.4, or use this as a good excuse to finally get that new phone you’ve been eying. Be safe friends, and try not to download anything outside of Google Play unless you absolutely have to.