Skip to main content

App installer exploit affects older versions of Android but isn't as scary as it sounds

Android Lock Screen
Android Lock Screen (Image credit: Android Central)

A new(ish) exploit has been published today by the folks at Palo Alto Networks that describes how a bug in the Android package installer could potentially infect older phones with malware. The exploit works against versions of Android older than Android 4.3 and doesn't affect apps installed via Google Play. It's still something that needs to be talked about, as plenty of users could be affected.

But that doesn't necessarily mean you need to worry much — even though roughly half of all currently active Android devices are sub-Jelly Bean. Here's what's up.

How it works

When you download an application package (apk file), the package installer runs to install it to your system. The exploit here acts on those packages and does a bit of a switcheroo to install something different from what you think you're about to install. It does this while you're looking at the installer screen and reading the permissions. In short, you say "Yes" for the thing you wanted to install, and the exploit is changing it to a different app in the background while you're saying yes.

That's obviously bad. But here's the thing:

This only works with third-party app stores. When you download an app from Google Play, the application download files go into protected storage (folders with Linux-style read/write/execute permissions) and only the package installer has access to them. When you download an apk file from anywhere else, it goes into unprotected storage (a folder without read/write/execute permissions), and plenty of other processes have access to the raw file.

The folks at Palo Alto Networks go into details about how apk files can be exploited in this manner, and it's worth a read if you're into that sort of thing.

Who is affected?

Any Android device running a version older than Android 4.3 is potentially affected. Google says it patched the vulnerability in Android 4.3_r09, and newer versions should be unaffected.

Amazon says it patched the vulnerability in its App Store, and all users should be using the latest version, available here (opens in new tab).

If you use other application markets, or directly download apk files from other sources, you are at risk if your device is running a version of Android older than 4.3. In response to Palo Alto Networks, Google has said "The Android Security Team has not detected any attempts to exploit this vulnerability on user devices," so the issue isn't widespread.

What should I do if I'm vulnerable?

Only download and install applications from Google Play, Amazon or another trusted source. Like most malware instances, this exploit depends on users downloading applications from folks with the desire to do bad things. Avoid those people and places and you'll be unaffected.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

6 Comments
  • I never install apps from other than the Play Store or Amazon App Store. Sounds like that kind of caution is well warranted... even though my devices are on either Lollipop or Kit Kat. Posted via the Android Central App
  • I wish I could do that on my old GS2, but I can't use Google Play on it. For the simple reason that Google on the phone thinks my Gmail-password combo is incorrect while the same combo works on my 3 other Androids. The GS2 is running ICS while one of the other 3 Androids is running KitKat. The remaining 2 are on Lollipop.
  • Did you try creating a device specific password for it? The GS2 predates the current method where Google sends you to a website to further authenticate. Posted via the Android Central App
  • This doesn't seem possible. The installer doesn't run any executable inside the APK while installing the , and even after the installation has finished - it doesn't run it.
    The reason is that since Honeycomb (Android 3.0) newly installed apps go to "stopped" state, which means they can't do anything till the user has launched them manually (or something else did).
  • So like almost all exploits, malware, viruses and such, this falls under the category of "don't be a dumbass and download unscrupulous things and you'll be fine"... The same rule that has applied since the beginning of the internet....
  • Good to know as my Droid 1 still runs stock Froyo, my alarm clock/ music player