Android OS Update Process Vulnerable to Exploitation

A new type of security vulnerability has been found in the Android system`s updating process, which can be exploited to steal sensitive data, alter security configurations and even block installation of critical system services, according to joint research by the University of Indiana and Microsoft.

The so-called Pileup flaws hidden inside the Android Package Management Service (PMS) allow a malicious app to harvest a set of new system and signature permissions on a lower version of the OS and perform malicious actions once the update is complete.

For example, the app can define a new permission, such as permission ADD_VOICEMAIL, on Android 2.3.6, which will be included in Android version 4.0.4. With the new OS version, the app gains access to the user`s voice mail without consent. Other permissions can give access to user credentials, call logs or text messages.

“When the user upgrades the Android to a version that has the respective permission built in, the malicious application is automatically able to use it because it has been granted access in the past. Ironically, we`ve been complaining for years that Android updates don`t quite make it into the market, now we might get updates that enable dormant malware,” says Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.

The unauthorized app can also lower security levels and even impersonate legitimate apps or webpages such as Google Calendar or banking sites. It can insert malicious Javascript code in the new browser to manipulate cookies or bookmarks that lead to malicious webpages asking for the user`s credentials.

The tests reveal exploit opportunities across different device manufacturers, carriers and countries. “Our research shows that the permission harvesting and preempting vulnerabilities exist in all official Android versions and all 3,522 customized source code versions by Samsung, LG and HTC that we inspected,” the study says.

The researchers have informed Google and major Android vendors of their findings.