Industry News

Android OS Update Process Vulnerable to Exploitation

 Android OS Update Process Vulnerable to ExploitationA new type of security vulnerability has been found in the Android system’s updating process, which can be exploited to steal sensitive data, alter security configurations and even block installation of critical system services, according to joint research by the University of Indiana and Microsoft.

The so-called Pileup flaws hidden inside the Android Package Management Service (PMS) allow a malicious app to harvest a set of new system and signature permissions on a lower version of the OS and perform malicious actions once the update is complete.

For example, the app can define a new permission, such as permission ADD_VOICEMAIL, on Android 2.3.6, which will be included in Android version 4.0.4. With the new OS version, the app gains access to the user’s voice mail without consent. Other permissions can give access to user credentials, call logs or text messages.

“When the user upgrades the Android to a version that has the respective permission built in, the malicious application is automatically able to use it because it has been granted access in the past. Ironically, we’ve been complaining for years that Android updates don’t quite make it into the market, now we might get updates that enable dormant malware,” says Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.

The unauthorized app can also lower security levels and even impersonate legitimate apps or webpages such as Google Calendar or banking sites. It can insert malicious Javascript code in the new browser to manipulate cookies or bookmarks that lead to malicious webpages asking for the user’s credentials.

The tests reveal exploit opportunities across different device manufacturers, carriers and countries. “Our research shows that the permission harvesting and preempting vulnerabilities exist in all official Android versions and all 3,522 customized source code versions by Samsung, LG and HTC that we inspected,” the study says.

The researchers have informed Google and major Android vendors of their findings.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.