Vulnerability Disclosure -Business Logic : Android Content Provider Preventing New App. Installation

Status: Open (As on 23-Aug-2021)

Impacted Component: Android App installation (Content Provider)

Vulnerability Description: It was observed that Android freely allows to define Content Proider in any application with name of your choice. However, at installation it prevents installation of applications, if there is already installed app which has duplicate Content Provider name. Making use of this, evil App can be created with same Content Provider name as that of targeted app and can be easily uploaded to Play store. Hence forth if the evil app is tricked to get installed in user’s device, the user would never be able to install targeted app. And for adding to the trouble, the failure of installation shows very generic message, due to which end user can never understand what’s wrong.

Generic Error Message on Failure of Installation (because of Forged Content Provider app)

Impact rational: This would cause loss of availability, since legitimate apps wouln’t be installed in mobile/tablets/TV device, i.e. a case of Denial of Service.
This would be very crucial since many business these days 100% rely on mobile applications. Alongwith advertisements campaigns, if this tactics is being used to prevent installation of competitor apps, it would incur unfair business growth.

Exploitability rational: These apps can be made very easily and published over Google Play Store as well. Scanning through Play Protect also shows such apps as safe. No anti-virus solution would flag them ideally. Such apps can also be sideloaded if end-user has enabled ‘allow installation from unknown sources’. The installation failure message is so generic, end user would never realize presence of evil app. Android apps can be made without displayable icon, which can run in background, that would make task even more difficult for the end user to find root cause.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L = 4.3 (Medium Severity)

Android Device: Tried across OS 6, 7.1, 8, 10 (non-rooted & without enabling developer option)

Steps to reproduce:
1. Install Play Store Download link : may work until they block it manually
2. Then try to install Whatsapp (this is used just for demonstration)
Above Step #2 installation will not be possible, since Step #1 app contains content provider with same name, being used in steo #2

Initial Disclosure 2016, remains unfixed until today as risk vs usability tradeoff.