Since our app “Installer Hijacking Defender” is uploaded to the Google Play Store, we have already got over 30,000 downloads from users who are protected against Installer Hijacking Vulnerability. You might be wondering how we made it. Here is a description of the mechanism of the app from Xin Xu, our Security Specialist of 360 Security Group.
We proposed a novel method to automatically detect the wide-spread Installer Hijacking Vulnerability of Android Package Installer and non-intrusive approaches to protect devices affected by this vulnerability. We bundled those techniques into a lite and user friendly android app – Installer Hijacking Defender (https://play.google.com/store/apps/details?id=com.qihoo.security.killer.ins).
In the following sections, we will describe and discuss
1. Reliable automatic detection of Installer Hijacking Vulnerability
2. Installer Hijacking attacks – scenario analysis
3. Low-cost solution of attack detection and installation protection
Background information about the Installer Hijacking Vulnerability
On March 24 2015，the security researcher Zhi Xu from Palo Alto Networks published the Installer Hijacking Vulnerability, which they first discovered as the “the Time of Check to Time of Use Vulnerability” in the Package Installer of Android OS in January 2014. Attackers can exploit this flaw to substitute the benign-looking apps with malware secretly before installation, bypassing the user view of Package Installer stating the app information and requested permissions. 49.5% android devices are estimated to be affected by this vulnerability. For more details please find the blog of Palo Alto Networks (http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/). Researchers from Palo Alto Network also launched an android app to help android users detect the vulnerability on their devices (https://play.google.com/store/apps/details?id=com.paloaltonetworks.ctd.ihscanner), which mimics an Installer Hijacking attack to test if the device is compromised. This method is interesting and generally reliable, yet we think the vulnerability detection needs to be automated to simplify the user interaction. Moreover, a non-intrusive, reliable and low-cost installation protector should also be in place to protect the compromised devices from Installer Hijacking attacks.
Reliable automatic detection of Installer Hijacking Vulnerability
The origin of Installer Hijacking Vulnerability is the absence of package authentication between the Time of Check, namely the parsing and showing of app information and permission requests, and the Time of Use, namely the installation of the app after the user confirmation. This flaw is patched in OSAP 4.3_r0.9 and later. Since the patching code is highly characterized, we consider using static analysis to examine if the Package Installer in question is patched for this flaw.
The scope of our detecting method is to examine if the Package Installer of Android OS is properly patched to mitigate the installer hijacking vulnerability. 360 Security device statistics shows that about 95% android devices have Package Installer installed, therefore detecting the flaw of Package Installer is necessary for android devices.
The technique of reflection is used for static code analysis on Package Installer. The patch for Installer Hijacking vulnerability is in the class of InstallAppProgress.java, characteristic vector of the patch can be established based on code analysis. Our Installer Flaw Detector examines the reflected class of InstallAppProgress using the pre-established characteristic vector. This method is optimized that the installer flaw detection is completed within tens of milliseconds.
Installer Hijacking attacks – scenario analysis
Before discussing the protection over compromised devices, we need to take a close look at when and how an Installer Hijacking attack takes place.
A benign-looking app pre-installed on the devices actively complete the APK file substitution. When the app detects that an APK file is downloaded and shown in the view of Package Installer, it secretly replaces the original APK file with that of a malicious app.
A benign-looking app promotes another benign-looking app in its ads, after the user download the app in the ads and the app information are shown in the view of Package Installer, the promoting app secretly replaces the APK file shown to the user with a malicious one.
In both cases we can see that the valid time window for a deceitful package substitution starts when the information of the original APK file is displayed in the Package Installer and ends when the installation process starts. This is also the time duration in which the monitoring of hijacking is necessary.
The hijacking app may or may not initiate the app installation, but no matter which app is the initiator, generally it will make an implicit call to the system for a valid app installer. The system will pass on the call to one of the installers or prompt the options to the user according to the system settings.
Low-cost solution of installation protection
As a third party security app, we are not able to patch the installer flaw technically. An effective approach of mitigation is to monitor the APK file throughout the hijacking time window and alert the user should any hijacking occur. Based on the analysis of the possible Installer Hijacking scenarios, we worked out a solution of attack detection without perceivable impact on the system performance.
1. The app installation can be initiated by any app installed or any website.
2. There is at least one valid installer in the system, may or may not be Package Installer (The app we launched currently only mitigate the flaw of Package Installer).
3. Once the installer prompts to the user, the user will complete the installation or explicitly cancel it before background the installer process.
The technical challenge to detect the APK file hijacking is that it could take place anywhere in an unprotected file system. We bypass the difficulty through creating an Installation Protector. The procedures of installation protection are as following:
1. We make our users understand that the Installation Protector is used to protect their compromised devices and choose it as the default installer, as shown in Fig.1.
2. What the Installation Protector does after chosen as the default installer is to get the system intent of app installation together with the directory of the APK file.
3. The Installation Protector passes on the intent to the Package Installer after it calculates the digestion of the APK file and records its creation time.
4. In the consequent installation process, the Installation Protector repeatedly checks the last modification time of the APK file to see if it is modified.
5. The digestion of the installed app is also calculated and compared with the original one.