Updating software is to malware as flossing is to gingivitis: a basic practice meant to minimize the risk of infection. But a team of researchers has found that for Google's Android platform, operating system upgrades can also serve as a stealthy new method for malware to sneak its tricks past Android’s security measures.
In a paper they plan to present at the IEEE Security and Privacy symposium in May, a team of researchers from the University of Indiana and Microsoft Research outline a devious new backdoor in Android’s malware protections: It begins when a user is tricked into installing an innocuous-seeming application that asks for few or no permissions to access the phone’s data or use its features. But when the user upgrades to the latest version of Android, the malware app silently upgrades itself, too, gaining new access to the user’s sensitive information or control of other phone functions to access the user’s voicemails, login credentials, text messages, call logs, and more, depending on the version of Android.
Researchers at Indiana University Bloomington and Microsoft released a paper detailing a new set of vulnerabilities in the Android Operating System dubbed Pileu...; where Pileup means “privilege escalation through updating”.
These flaws exist within Android’s Package Management System (PMS) and could allow malware to “upgrade” its privileges simultaneously with a system upgrade.
“Our research brought to light a new type of security-critical vulnerabilities, called Pileup ﬂaws, through which a malicious app can strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system”
The paper goes on to say they confirmed the existence of the Pileup flaws on every official version of Android and on over 3000 custom versions. In addition, the paper documents several of the exploits used against the Pileup vulnerabilities.
Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries.
While this may sound scary, big vulnerabilities have appeared on Android in the past.
Helpful Webroot Links: