Feeds

Android update process gives malware a leg-up to evil: Indiana U

Old apps get access to privileges that didn't exist when they were written

Build a business case: developing custom apps

Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software.

As ThreatPost explains, the vulnerability uses the update process to “ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user.”

The research was carried out by Indiana's Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang, with help from Rui Wang of Microsoft Research.

What's going on in “Pileup” – privilege escalation through updating – is this: some permission settings offered in newer Android versions aren't present in older versions. A malicious app – one that would raise alarms in a newer version – can be installed in an older version without problems. It can't ask for dangerous permissions, because those permissions don't exist.

However, because Android tries not to break apps during the update process, an update on the infected device will automatically assign the escalated permissions to the malicious app, without alerting the user.

As the paper states, the attack “is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the “future” OS, which the current system will be upgraded to … the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version”.

In other words, the attacker compares API calls in a late version of Android, and defines that system permission in an app designed for installation on an older version. By way of example, they write, permission.ADD_VOICEMAIL would be ignored in Android 2.3.6 because it doesn't exist – that permission was added in 4.0.4. The app would look benign until the user upgraded to 4.0.4, at which point it becomes exploitable.

The researchers identified six “Pileup” flaws in the Android Package Manager, all of which have been reported to Google and one of which has been fixed.

“With the help of a program analyser, our research discovered 6 such Pileup flaws within Android Package Manager Service and further confirmed their presence in all AOSP (Android Open Source Project) versions and all 3,522 source code versions customized by Samsung, LG and HTC across the world that we inspected,” they write. That means “billions” of devices are affected, they state. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?