Roughly half of all Android handsets are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.

The "Android installer hijacking" vulnerability, as it has been dubbed by researchers from Palo Alto Networks, works only when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library. Technically, it's based on what's known as a Time-of-check to time-of-use vulnerability. Affected devices fail to verify that the app being installed at the time of use was the one the end user approved during the time of check, which occurs when a user approves app permissions such as network access or access to the contacts database. The bug involves the way the system application called PackageInstaller installs app files known as APKs.

"A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background," Palo Alto Networks researcher Zhi Xu wrote in a blog post published Tuesday. "Verified with Android OS source code posted in AOSP [Android Open Source Project], it shows that the PackageInstaller on affected versions does not verify the APK file at the 'time of use.' Thus, in the "time of use' (i.e., after clicking the 'install button), the PackageInstaller can actually install a different app with an entirely different set of permissions."

One scenario for exploiting the vulnerability involves an attacker using a benign-looking app to install malware in the future. A second scenario uses the same weakness to mask the true permissions an app requires. In both cases, targeted users can end up installing apps that are vastly different from the ones they approved during the permissions process.

The vulnerability has been patched in Android version 4.3_r0.9 and later, but Xu warned that some Android 4.3 devices remain vulnerable. By Google estimates, that accounts for 49.9 percent of the handsets the company monitors. Palo Alto Networks has released a scanner app that will indicate if a given device is vulnerable. People using vulnerable devices should steer clear of third-party app stores and use Google Play as their sole source of apps.