Feeds

Android update process gives malware a leg-up to evil: Indiana U

Old apps get access to privileges that didn't exist when they were written

Using blade systems to cut costs and sharpen efficiencies

Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software.

As ThreatPost explains, the vulnerability uses the update process to “ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user.”

The research was carried out by Indiana's Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang, with help from Rui Wang of Microsoft Research.

What's going on in “Pileup” – privilege escalation through updating – is this: some permission settings offered in newer Android versions aren't present in older versions. A malicious app – one that would raise alarms in a newer version – can be installed in an older version without problems. It can't ask for dangerous permissions, because those permissions don't exist.

However, because Android tries not to break apps during the update process, an update on the infected device will automatically assign the escalated permissions to the malicious app, without alerting the user.

As the paper states, the attack “is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the “future” OS, which the current system will be upgraded to … the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version”.

In other words, the attacker compares API calls in a late version of Android, and defines that system permission in an app designed for installation on an older version. By way of example, they write, permission.ADD_VOICEMAIL would be ignored in Android 2.3.6 because it doesn't exist – that permission was added in 4.0.4. The app would look benign until the user upgraded to 4.0.4, at which point it becomes exploitable.

The researchers identified six “Pileup” flaws in the Android Package Manager, all of which have been reported to Google and one of which has been fixed.

“With the help of a program analyser, our research discovered 6 such Pileup flaws within Android Package Manager Service and further confirmed their presence in all AOSP (Android Open Source Project) versions and all 3,522 source code versions customized by Samsung, LG and HTC across the world that we inspected,” they write. That means “billions” of devices are affected, they state. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.