Feeds

Android update process gives malware a leg-up to evil: Indiana U

Old apps get access to privileges that didn't exist when they were written

Top 5 reasons to deploy VMware with Tegile

Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software.

As ThreatPost explains, the vulnerability uses the update process to “ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user.”

The research was carried out by Indiana's Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang, with help from Rui Wang of Microsoft Research.

What's going on in “Pileup” – privilege escalation through updating – is this: some permission settings offered in newer Android versions aren't present in older versions. A malicious app – one that would raise alarms in a newer version – can be installed in an older version without problems. It can't ask for dangerous permissions, because those permissions don't exist.

However, because Android tries not to break apps during the update process, an update on the infected device will automatically assign the escalated permissions to the malicious app, without alerting the user.

As the paper states, the attack “is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the “future” OS, which the current system will be upgraded to … the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version”.

In other words, the attacker compares API calls in a late version of Android, and defines that system permission in an app designed for installation on an older version. By way of example, they write, permission.ADD_VOICEMAIL would be ignored in Android 2.3.6 because it doesn't exist – that permission was added in 4.0.4. The app would look benign until the user upgraded to 4.0.4, at which point it becomes exploitable.

The researchers identified six “Pileup” flaws in the Android Package Manager, all of which have been reported to Google and one of which has been fixed.

“With the help of a program analyser, our research discovered 6 such Pileup flaws within Android Package Manager Service and further confirmed their presence in all AOSP (Android Open Source Project) versions and all 3,522 source code versions customized by Samsung, LG and HTC across the world that we inspected,” they write. That means “billions” of devices are affected, they state. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.