Note: The author of the entry has been changed to Chengkai Tao.
We’ve recently discovered a design flaw in Android devices that allows fake apps to hijack legitimate app updates, thus enabling the fake app to steal the information stored by the targeted legitimate app. The flaw lies in a common practice for mobile users in China: using an external storage device (such as an SD card) to store downloaded Android application package (APK) files.
China-based users commonly update their apps directly — without relying on Google Play or any 3rd party app stores. This is done through an in-app updating function, wherein vendors roll out the app update by asking users to download an APK file and launch it. The problem, however, does not lie in this process, but on where the APK file is stored.
Android-based devices often have small internal storage, with options for large external storage. Taking the APK file sizes into consideration, the SD card has become a popular location for temporarily saving the downloaded APK files.
In our research, we’ve found that using external storage devices like SD cards to save downloaded APK files for updating apps leaves apps prone to tampering. For example, a malicious app may be able to hijack an app update in order to launch a different version — one that is controlled by an attacker. This presents a big risk especially if the app being targeted is one that handles critical information, such as an online banking app.
The Security Trade-off
Direct app updates may seem convenient as users get updates as soon as they are available. However, this incident only proves that there could be a trade-off in terms of security. As this scenario proves, bad guys can take advantage of the lack of security checks to unleash threats.
App sites can prove some level of protection. For example, Google Play handles the distribution of updates of apps made available in the site. Google can check if the update is legitimate or not, via certificate checks. However, not all app sites are made equal (in terms of security). Third-party app sites may not be as stringent with security checks compared to official app stores. In fact, third-party sites are often used by cybercriminals to host malicious and high-risk apps.
Users are encouraged to download apps from official app sites or stores when possible. If these sites are unavailable, users must exercise additional caution when downloading apps. Each app must be scrutinized before being downloaded and install. Permissions can give users an idea if an app is asking for more access than it needs. Using a device’s built-in security features and installing a security solution can significantly increase a device’s security against these types of threats.
We have already contacted Google about this concern.
With additional analysis by Harry Ding.