Hackers are hijacking the app download process on Android smartphones and installing malware without users' knowledge, a new report on Tuesday has found.
By exploiting the Android vulnerability, hackers can get access to users' usernames, passwords and other sensitive data. About 49.5 percent of current Android device users could be affected by the security loophole, according to cybersecurity firm Palo Alto Networks.
The technique – called "Android Installer Hijacking" – works when hackers essentially intercept the installation steps on Google's mobile operating system from apps downloaded from third party app stores – not the Google Play store.
When a user goes to install and app, they are presented with "permissions" – actions that the app would like to carry out or certain parts of the phone that it wants to access such as your contacts. A user then clicks "next" and "install" if they want to download that app.
But a vulnerability exists in this process when the user is receiving the permission information. An attacker can modify the code in the background, changing the permissions of the app without the user knowing so that when they download what they thought was a legitimate piece of software instead turns out to be malicious.
"This Android vulnerability means users who think they're accessing legitimate applications with approved permissions may instead be exposed to data theft and malware," Ryan Olson, intelligence director at Palo Alto Networks, said in a statement.
The disclosure today follows recent security concerns over Android. A report by FireEye last month found that over five billion downloaded Android apps are vulnerable to being hacked.
Palo Alto Networks' report says versions 4.3 and earlier of the Android operating system may contain this vulnerability. Android version 4.4 and higher versions have fixed the issue. Around half of the Android population could be affected.
The cybersecurity company uncovered the flaw in January 2014. In February it reported it to Google, in March it told Samsung and in September it notified Amazon. The public disclosure was made on Tuesday. Palo Alto Networks said it was working with Google as well as device manufacturers such as Samsung.
Google said in a statement that it had released a patch to fix the vulnerability in Android 4.3 and later. "The Android Security Team has not detected any attempts to exploit this vulnerability on user devices," the search giant added.
Amazon urged customers in a statement to move to the latest version of its app store.