Nearly Half of Android Devices Sitting Ducks for Malware

Nearly half the existent Android devices are susceptible to malware attach that can siphon off personal data, courtesy third party applications.

The vulnerability exists in older Android devices (< 4.3) due to the manner of third party app installations. According to Zhu Xu who wrote about the hack, the third party applications download apps to an unsecured location, like SD storage, on the device.

Malware is first downloaded by way of a legitimate looking app which does not seek any suspicious permission. Later when a legitimate app is installed from a third-party app store, the malware is trigger. Xu said the seemingly harmless app downloaded first can overwrite the second application from third-party store to gain access to the device.

Xu attributed the vulnerability to the functioning of the package installer in Android. The installer only seeks permissions from the user at the time of install but not at the time of use. When the user is reviewing permissions presented by a legitimate third-party app, malicious code can take charge.

"Vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background. In the "Time of Use" (i.e., after clicking the "Install" button), the PackageInstaller can actually install a different app with an entirely different set of permissions," Xu wrote.

Xu recommended that users suspecting vulnerability to download the vulnerability scanner app from Google Play Store. Users of affected devices should restrict downloads from Google Play store which downloads apps to a secure location on the device.