A new type of security vulnerability has been found in the Android systemâ€™s updating process, which can be exploited to steal sensitive data, alter security configurations and even block installation of critical system services, according to joint research by the University of Indiana and Microsoft.
The so-called Pileup flaws hidden inside the Android Package Management Service (PMS) allow a malicious app to harvest a set of new system and signature permissions on a lower version of the OS and perform malicious actions once the update is complete.
For example, the app can define a new permission, such as permission ADD_VOICEMAIL, on Android 2.3.6, which will be included in Android version 4.0.4. With the new OS version, the app gains access to the userâ€™s voice mail without consent. Other permissions can give access to user credentials, call logs or text messages.
â€œWhen the user upgrades the Android to a version that has the respective permission built in, the malicious application is automatically able to use it because it has been granted access in the past. Ironically, weâ€™ve been complaining for years that Android updates donâ€™t quite make it into the market, now we might get updates that enable dormant malware,â€ says Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.
The tests reveal exploit opportunities across different device manufacturers, carriers and countries. â€œOur research shows that the permission harvesting and preempting vulnerabilities exist in all official Android versions and all 3,522 customized source code versions by Samsung, LG and HTC that we inspected,â€ the study says.
The researchers have informed Google and major Android vendors of their findings.