The so-called ‘Pileup' flaw lurks inside the Android Package Management Service (PMS) which handles the many updates to the Android operating system. It allows malware installed on an Android device to grab new privileges whenever an update occurs and steal the user's sensitive data.
“The Pileup vulnerabilities are critical, highly pervasive and also fundamental,” say the research team.
The opportunity to exploit the flaw is also significant, they say, as there have been 19 official Android version updates since September 2008 – one every three months – while phone providers create versions for multiple carriers and countries, with Samsung so far releasing more than 10,000 different Android versions worldwide.
The researchers say they “highly suspect that all Android devices are vulnerable to our attacks”, adding: “We systematically confirmed the presence of those security flaws on all Android official versions and all 3,522 source code versions customised by Samsung, LG and HTC across the world that we inspected. Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries. The consequences of the attacks are dire.”
Security expert Josh Cannell, malware intelligence analyst at Malwarebytes, agreed that “this threat is important because it could allow malware that's pre-installed on a device to acquire new privileges via a system upgrade”. He told SCMagazineUK.com via email: “Obviously this is a big issue, as you don't expect, nor desire, malware to be ‘upgraded' when you're only wanting to update the OS.”
Tim Holman, president of the information security professionals association ISSA-UK, also highlighted the scale of Android problems. He told SCMagazineUK.com via email: “A big challenge for Android security researchers is keeping up with the number of custom operating systems available (there are more than 3,000 Android variants) and the number of apps available (there are now more than a million). From a hacker's perspective it's easy to drop some malware through the net, as professional security researchers simply do not have the time and resource to assess each and every permutation for vulnerabilities.”
As for security professionals, Holman said, the way most Android users install apps automatically “is a complete nightmare when employees decide to bring their own devices to work. Only a locked-down build, using known secure operating systems and applications is suitable for a commercial environment. This goes for all mobile devices, and unfortunately Android rarely fits the bill due to what users have done with it at home.”
He added: “My modus operandi is that Android devices are already compromised and I'm standing in hostile territory, unless I've built them myself!”
Josh Cannell added: “While the open and customised nature of Android is great for enthusiasts, it can sometimes be a double-edged sword. Custom ROMs (new Android versions) are great, but can they always be trusted? Make sure you do your homework before you consider using one, as it may have malicious apps with it. Also, most custom ROMs, if not all, will require users to root their phones, and if not done properly, this could leave a phone ‘bricked'.” Users should also install mobile anti-malware software, he said.
The Indiana University/Microsoft research team have reported their findings to key Android-device vendors such as Google, and are helping them fix the issues. They have also developed their own Pileup detection service, called SecUP.
The researchers added that the “Google security team informed us that they came up with a fix for the permission bug and released it to their partners”. Google is also working on solutions for the other bugs.
The research paper, ‘Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating', was written by Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang of Indiana University Bloomington and Rui Wang of Microsoft. It can be found here.Another Android flaw
Meanwhile, Trend Micro has revealed another Android security flaw in the system that controls the data that apps can access. In a 20 March blog, Trend Micro mobile threats analyst Weichao Sun said malicious software that is already installed on an Android device could hijack the ‘permissions' granted to any legitimate apps installed after it – enabling the malware to access the supposedly protected data within the legitimate app.
Trend says it has found almost 10,000 apps at risk of this vulnerability and while refusing to name names, said these include “a popular online store leaks its online browsing history, a popular chat app leaks the user's in-app purchases, and a popular social network can have fake messages inserted via its app”.
Trend has informed Google of the problem, and Weichao Sun warned: “Developers should not rely exclusively on the protection levels when their activities/receivers/services/providers are accessed. Several functions such as getCallingUid and getCallingPackage are provided by the operating system, and can be used to identify any apps requesting the above and implement access control as needed.”