Recently, Palo Alto Networks discovered a new Time-of-Check to Time-of-Use (TOCTTOU) vulnerability in Google Android OS, which impacts roughly around half of the total Android user base, a staggering number of more than 500 million devices. The vulnerability allows an attacker to install another binary than the one victim plans to install by replacing it during original APK installation. Due to the TOCTTOU vulnerability, the vulnerable OS will not identify the change and will allow the installation of the replaced APK.
Non-Google Play/third-party app installations leverage shared unprotected local storage (e.g., SD cards) to store APKs, which allows attacks that exploit TOCTTOU vulnerabilities to happen in the first place. Similar attacks can also be executed by initiating installations from within a seemingly harmless installer that is actually malicious. When users click on the “Install” button, a bad Android Package (APK) can be installed on vulnerable Android versions, as there is no validation between displayed permissions and the actual installed permissions.
The best safeguard against attacks exploiting TOCTTOU vulnerabilities is to simply not deploy any applications from non-Google Play app stores. However, this might not be feasible for some businesses given there are multiple useful business applications listed in legitimate, popular Android app stores such as Amazon.
Skycure offers a more realistic solution with next-generation mobile threat defense that holistically protects against multiple mobile threat types: physical, network, malware and OS vulnerabilities such as “Android Installer Hijacking”. In addition to the benign APK that is presented to the user, Skycure also applies our multi-layered detection technology on the actual APK that gets installed. Skycure’s mobile threat detection is independent of the method that attackers use to install the malicious app on vulnerable Android devices. Further, multiple policies can be enforced via Skycure upon detection of a threat including but not limited to: removing the malicious app, alerting the user and IT staff, stopping access to sensitive data, apps and email, and protecting the compromised device from connecting to corporate networks, thereby containing the attack.
Download a free version of Skycure for Android to protect your enterprise devices against “Android Installer Hijacking” and other “zero day” vulnerabilities. Skycure for iOS is also available for download in the Apple iTunes store.