Half of all Android users are still vulnerable to a security flaw uncovered in the most-popular mobile operating system early last year, according to a new report from security firm Palo Alto Networks. The vulnerability in question allows an attacker to modify or replace Android apps with malware without the user’s knowledge.
Google was informed of the vulnerability in February 2014, a month after its discovery, and has since come up with a patch, which it has included in later revisions of Android 4.3 Jelly Bean and newer distributions. According to the latest data from Google, that still leaves 49.9 percent of all Android users unprotected.
The vulnerability lies in Android’s PackageInstaller, which handles the installation of apps, and, according to Palo Alto Networks, is restricted to apps downloaded — either through third-party app-stores or manually by users — in insecure locations, where they can be easily modified by attackers.
It basically affects just about every Android app store out there with the exception of Google Play, and other sources — like Amazon’s AppStore — which have been patched against the vulnerability. That said, sideloading APKs is still risky, as there’s no protection for apps that users manually download.
The vulnerability can be exploited through an app downloaded “from any normal app store”, according to Palo Alto Networks, which means that users do not have to necessarily be looking for trouble to be affected. The app in question can appear to be legitimate, and may only reveal its role while PackageInstaller is triggered.
In order for fewer users to be vulnerable Android vendors would have to release software updates for older devices, which, as we all know, is unlikely to happen. However, there are other ways to stay safe.
Other than buying a new handset, that is still supported by its manufacturer for a reasonable period of time, users can use the latest-available versions of their favorite third-party app stores, steer clear of shady sources, and pay more attention to which apps they install on their devices.