A leak in Android 4.2 and older versions of the mobile operating system allows apps to install malware unnoticed , according to security company Palo Alto Networks. Also some phones running Android 4.3 are vulnerable. According to recent statistics more than 50% of all Android devices runs on the affected versions.
The security issue is only dangerous when installing apps outside the Google Play Store. By default it's not possible to install such .APK files on Android, an user has to change a setting in order to allow this.
The leak makes it possible to hijack the installation of apps and attackers can gain access to more parts of the phone than reported during installation. Normally users have to give permission to apps to access e.g. GPS data or the photo gallery. However the leak makes it possible to access this data without permission.
Palo Alto Networks states it discovered the leak in January 2014 already. The company has been working with Google and Samsung to release patches for Android and for Android versions shipped by phone manufacturers.
Therefore newer Android versions are not vulnerable. Unfortunately many older devices are no longer supported by phone manufacturers and don't receive updates anymore, leaving them vulnerable. Palo Alto has released an app which allow users to check whether their device is vulnerable.
