The page may not load correctly.
Android Installer Hijacking is a vulnerability in Google Android operating systems, which allows cybercriminals to take over installation from APK files and distribute malware to mobile devices. This vulnerability exists in the following operating systems: Android 2.3, 4.0.3–4.0.4, 4.1.X, 4.2.X, as well as in some revisions of Android 4.3 pre-installed on mobile devices. Google Android 4.4 and newer operating systems do not contain this vulnerability.
On attempt to install an application from the APK file, the list of permissions requested by the application is displayed. These permissions are also specified in the application manifest. Cybercriminals exploiting the Android Installer Hijacking vulnerability can covertly substitute a trusted application with any malware. This malware then can get access to confidential data stored on the infected device.
Users can protect their devices by downloading applications only from sources with secure stores of APK files, which cannot be compromised by cybercriminals (for example, Google Play). In fact, the vulnerability can be exploited only if users install an application themselves after downloading it from unofficial sources.
Dr.Web Anti-virus for Android detects and removes malicious programs that exploit the Android Installer Hijacking vulnerability just after the beginning of the installation process. Thus, Dr.Web users are effectively protected from such Trojans.
Installation packages of programs for Google Android are files with the .APK extension, which are, in fact, common ZIP archives. Applications are installed via the special tool called PackageInstaller. When installation starts, this tool parses the content of the APK package and extracts important data (file names, required permissions, and so on). After that, key data is displayed to the user as the PackageInstallerActivity screen. This screen prompts users to confirm that they want to install this application and they grant the requested permissions to it. The installation process starts once the Install button is tapped.
The vulnerability allows cybercriminals to substitute the application's APK file, stored in an insecure store on the device, with any malware while the user is reading the information displayed in the PackageInstallerActivity screen. Due to the developers' mistake, PackageInstaller does not check an application started by tapping the Install button; thus, any program with permissions different from those requested in the PackageInstallerActivity screen can be installed.