Security researchers at Palo Alto Networks claim to have found a vulnerability in Android versions ranging from v2.3 (Gingerbread) to v4.3_r0.9 (Jelly Bean) that allows attackers to gain full access to compromised devices. The bug pertains to the fact that in vulnerable versions of Android there are no checks at the time of installation of whether an app's permissions actually match those advertised to the user during installation. The vulnerability only affects apps installed from third-party app stores.
Palo Alto Networks says the vulnerability, which it is calling Android Installer Hijacking, is of the 'Time-of-Check to Time-of-Use (TOCTTOU)' type, and allows attackers to mask the permissions of an app being installed between the check page (which lists the permissions) and the actual installation of the apk file.
Essentially, the system service PackageInstaller on affected devices does not verify the apk file at the time of installation, only prior to displaying the permissions - this means the app installed can have different permissions from what are shown. This could allow access to user data including passwords.
The firm says as of Google's March 2015 Android distribution numbers, affected devices account for roughly 49.5 percent of active Android devices. Palo Alto Networks adds that back in January 2014 when it discovered the vulnerability, which it is calling Android Installer Hijacking, the security flaw affected 89.4 percent of active Android devices.
In February last year however, Palo Alto Networks says it informed Google's Android Security Team, and then informed Samsung in March, and Amazon (the vulnerability includes devices accessing Amazon Appstore for Android) in September, so that patches could be issued.
A quote by the Google team on the security firm's blog post says, "Android Open Source Project includes patches for this issue for Android 4.3 and later," and adds that the Team "has not detected any attempts to exploit this vulnerability on user devices."
Amazon on the other hand recommends users should download the latest version of the Amazon Appstore for Android, which it says gets "updated automatically on Fire devices and for 3rd party Android devices it can be updated via www.amazon.com/getappstore."
Palo Alto Networks itself has released an app to the Google Play store that allows users to check if their devices are affected by the Android Installer Hijacking vulnerability. It adds that Samsung and Amazon have released fixes for their affected devices, which included those running on Fire OS.