Hackers May Be Able to Secretly Download Malicious Apps onto Nearly Half of All Android Phones
A researcher at Palo Alto Networks has discovered a frightening Android vulnerability that could allow hackers to steal data from unknowing users. Even scarier, it could affect nearly half of all current Android users.
Called the “Android installer hijacking vulnerability,” the bug reportedly allows attackers to surreptitiously download apps to Android users without them knowing.
Here’s how it works:
-When an Android user installs an app, they are always directed to a permissions screen ensuring the user know what sort of requirements the app has.
-This vulnerability, however, indicates that if a user downloads an app from a third-party app store or an app promotion (that is, not Google Play), Android doesn’t make sure that the app being presented to the user in the permissions page is the actual app being downloaded.
-This means that an attacker can “modify or replace the package in the background.” That is, hackers can secretly change the files that you think you’re downloading for other, more malicious ones. Think of it as an app bait and switch.
There are two ways for attacker to capitalize on this vulnerability. One, they can present to consumers a normal-looking app and then, once approved by the user, swap it for a piece of malware. Or, attackers can flat-out lie about the permissions the app requires, meaning app can look benign but actually gain all sorts of access to private phone data.
The fact that so many users are at risk highlights a real problem with Android. In short, Android operating systems are disturbingly fragmented. While the company has been working to fix its operating system fragmentation problem, more than half of the devices on the market use versions that are as many as three versions behind the latest. The most recent update, dubbed Lollipop, was released in November of 2014 and only 3.3% of all Android users currently run it.
Compare that with Apple, which claimed last fall that 94% of all iPhone users use a version of iOS that was released in the past year. With so many Android users spanning so many versions, it’s difficult for Google to issue a clean fix to problems like these.
The Android installer hijacking vulnerability applies to Android 4.3 devices. It was first discovered in January of 2014 and the researchers informed Google, Samsung, and Amazon (all of which provide operating systems to which the vulnerability applies). Now, more than a year later, all of the vendors have installed patches to fix it, but earlier versions of Android are still at risk.
According to the most recent numbers, that represents 49.5% of the Android devices on the market.
The most obvious fix for Android users would be to update their software. If they are unable to do that, users should only download apps through Google Play, as those files are unable to be overwritten by attackers.
So if you’re running an older version of Android, you better make sure you know what you’re downloading.
Microsoft to Offer Biometric Sign-In for Windows 10
Microsoft Corp will introduce an automatic biometric sign-in option with its Windows 10 operating system due out later this year, the first time it has offered such a service widely across devices.
The feature, called Windows Hello, means users will be able to scan their face, iris or fingerprint to verify identity and access Windows phones, laptops and personal computers.
Microsoft, which announced the feature on Tuesday, said users’ biometric data would be stored locally on the device and kept anonymous to make sure personal data is safe from hackers.
Windows Hello will only be available on new devices that are capable of running the new feature. Chip-maker Intel Corp said all machines incorporating its RealSense F200 sensor will run Windows Hello.
The feature is the latest effort from Microsoft to make its products more amenable to natural interaction with users, following its Kinect motion sensor for the Xbox game console and its Cortana personal assistant on Windows phones, a rival to Apple Inc’s Siri.