App installer exploit affects older versions of Android but isn't as scary as it sounds

Android Lock Screen
Android Lock Screen (Image credit: Android Central)

A new(ish) exploit has been published today by the folks at Palo Alto Networks that describes how a bug in the Android package installer could potentially infect older phones with malware. The exploit works against versions of Android older than Android 4.3 and doesn't affect apps installed via Google Play. It's still something that needs to be talked about, as plenty of users could be affected.

But that doesn't necessarily mean you need to worry much — even though roughly half of all currently active Android devices are sub-Jelly Bean. Here's what's up.

How it works

When you download an application package (apk file), the package installer runs to install it to your system. The exploit here acts on those packages and does a bit of a switcheroo to install something different from what you think you're about to install. It does this while you're looking at the installer screen and reading the permissions. In short, you say "Yes" for the thing you wanted to install, and the exploit is changing it to a different app in the background while you're saying yes.

That's obviously bad. But here's the thing:

This only works with third-party app stores. When you download an app from Google Play, the application download files go into protected storage (folders with Linux-style read/write/execute permissions) and only the package installer has access to them. When you download an apk file from anywhere else, it goes into unprotected storage (a folder without read/write/execute permissions), and plenty of other processes have access to the raw file.

The folks at Palo Alto Networks go into details about how apk files can be exploited in this manner, and it's worth a read if you're into that sort of thing.

Who is affected?

Any Android device running a version older than Android 4.3 is potentially affected. Google says it patched the vulnerability in Android 4.3_r09, and newer versions should be unaffected.

Amazon says it patched the vulnerability in its App Store, and all users should be using the latest version, available here.

If you use other application markets, or directly download apk files from other sources, you are at risk if your device is running a version of Android older than 4.3. In response to Palo Alto Networks, Google has said "The Android Security Team has not detected any attempts to exploit this vulnerability on user devices," so the issue isn't widespread.

What should I do if I'm vulnerable?

Only download and install applications from Google Play, Amazon or another trusted source. Like most malware instances, this exploit depends on users downloading applications from folks with the desire to do bad things. Avoid those people and places and you'll be unaffected.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.