A report by cybersecurity company Palo Alto Networks revealed that hackers could be taking over the process of downloading apps on Android-powered devices to install malware without any knowledge of the user.
By taking advantage of the vulnerability that was discovered in Android, hackers will be able to retrieve the usernames, passwords and other confidential information of a user.
Palo Alto Networks said that almost half, at 49.5 percent, of all the current users of Android devices may be exposed to the security issue.
This type of hacking attack, which was given the name Android Installer Hijacking, is exploited by hackers intercepting installation procedures for the Android mobile operating system for apps that are acquired from third-party app stores, and not the Google Play store.
When users download and install an app, different "permissions" are shown. These permissions are actions that the app is looking to perform or components of the device's data that it is looking to access, such as the user's contacts.
The receipt of the permissions information is where the vulnerability resides, as hackers can change the background code to change the permissions that are being requested by the app without the knowledge of the user. This effectively masks malware as a legitimate and safe app, and users will not suspect otherwise because of the hacked permissions screen.
"The danger is that this vulnerability allows all privileges to be installed regardless of what permissions users were told about," said Palo Alto Networks intelligence director Ryan Olson.
"This Android vulnerability means users who think they're accessing legitimate applications with approved permissions may instead be exposed to data theft and malware," Olson added.
According to Palo Alto Networks' report, devices running on Android 4.3 and earlier could be exposed to the vulnerability, with a fix already implemented for Android 4.4 and higher versions. However, due to the fragmentation of Android, there are still many devices that have not updated from Android 4.3, specifically 49.5 percent of all Android devices.
Palo Alto Networks discovered the vulnerability in January of last year and reported it to Google the following month. The cybersecurity company then informed Samsung of the flaw in March 2014, and then Amazon last September.
Palo Alto Networks said that it was cooperating with Google and device manufacturers including Samsung in hopes of addressing and completely plugging up the flaw.
Google said that it had fixed the vulnerability for Android 4.3 and higher, but Palo Alto Networks was able to identify devices that were shipped with Android 4.3 but did not have the security patch installed.
