Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Android Installer Hijacking

Android Installer Hijacking is a vulnerability in Google Android operating systems, which allows cybercriminals to take over installation from APK files and distribute malware to mobile devices. This vulnerability exists in the following operating systems: Android 2.3, 4.0.3–4.0.4, 4.1.X, 4.2.X, as well as in some revisions of Android 4.3 pre-installed on mobile devices. Google Android 4.4 and newer operating systems do not contain this vulnerability.

On attempt to install an application from the APK file, the list of permissions requested by the application is displayed. These permissions are also specified in the application manifest. Cybercriminals exploiting the Android Installer Hijacking vulnerability can covertly substitute a trusted application with any malware. This malware then can get access to confidential data stored on the infected device.

Users can protect their devices by downloading applications only from sources with secure stores of APK files, which cannot be compromised by cybercriminals (for example, Google Play). In fact, the vulnerability can be exploited only if users install an application themselves after downloading it from unofficial sources.

Dr.Web Anti-virus for Android detects and removes malicious programs that exploit the Android Installer Hijacking vulnerability just after the beginning of the installation process. Thus, Dr.Web users are effectively protected from such Trojans.

Technical details

Installation packages of programs for Google Android are files with the .APK extension, which are, in fact, common ZIP archives. Applications are installed via the special tool called PackageInstaller. When installation starts, this tool parses the content of the APK package and extracts important data (file names, required permissions, and so on). After that, key data is displayed to the user as the PackageInstallerActivity screen. This screen prompts users to confirm that they want to install this application and they grant the requested permissions to it. The installation process starts once the Install button is tapped.

The vulnerability allows cybercriminals to substitute the application's APK file, stored in an insecure store on the device, with any malware while the user is reading the information displayed in the PackageInstallerActivity screen. Due to the developers' mistake, PackageInstaller does not check an application started by tapping the Install button; thus, any program with permissions different from those requested in the PackageInstallerActivity screen can be installed.

See also information about other vulnerabilities

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124