Story image

Widespread malware threat on Android devices

25 Mar 2015

Enterprise security provider Palo Alto Networks has revealed details of a ‘widespread vulnerability’ in Google’s Android mobile operating system that allows attackers to hijack the installation of a seemingly safe Android application, Android Package File (APK) on user devices, and replace it with an app of the attacker’s choice, without user knowledge. 

Palo Alto Networks says exploitation of this vulnerability, which is estimated to affect about 49.5% of current Android device users, allows attackers to potentially distribute malware, compromise devices and steal user data. The company has also released an application to help potentially affected Android users diagnose their devices.

The vulnerability disclosed affects Android applications downloaded from third-party sources, and does not affect applications accessed from Google Play.  

Vulnerability allows stealth bait & switch 
Discovered by Palo Alto Networks Unit 42 threat researcher Zhi Xu, the vulnerability exploits a flaw in Android’s PackageInstaller system service, allowing attackers to silently gain unlimited permissions in compromised devices. Specifically: 
·        During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location. 
·        This vulnerability allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user’s device, including personal information and passwords. 
·        While users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware. 


“This Android vulnerability means users who think they’re accessing legitimate applications with approved permissions may instead be exposed to data theft and malware. We urge users to take advantage of the diagnostic application provided by Palo says Ryan Olson, intelligence director, Unit 42, Palo Alto Networks.

Unit 42, the Palo Alto Networks threat intelligence team, has worked with Google and Android device manufacturers such as Samsung and Amazon to help protect users and patch this vulnerability in affected versions of Android. Some older-version Android devices may remain vulnerable. 

Palo Alto Networks recommends the following for enterprises concerned about the risk of malware through Android devices:
·        On vulnerable devices, only install software applications from Google Play; these files are downloaded into a protected space, which cannot be overwritten by the attacker.

·        Deploy mobile devices with Android 4.3_r0.9 and later, but keep in mind that some Android 4.3 devices are found to be vulnerable.

·        Do not provide apps with permission to access logcat. Logcat is a system log, which can be used to simplify and automate the exploit. Android 4.1 and later versions of Android by default forbid apps from accessing logcat of system and other installed apps. But an installed app could still manage to get access to other apps’ logcat on rooted mobile devices using Android 4.1 or later.

·        Do not allow enterprise users to use rooted devices with enterprise networks.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.