A team of researchers coming from Indiana University and Microsoft announced a potentially critical, large-scale security flaw in the Android update process. Android updates remove or replace thousands of files on the smartphone's storage, with each of them having specific attributes and privileges within its file system. While a new update is being installed, a bug that researchers named "Pileup" could allow parasite malicious apps to be "smuggled" with the software, posing as replacements for safe update files that are already present on the file system and assigned permissions.
The team has discovered six Pileup vulnerabilities within the Android Package Management Service and confirmed their presence in all Android Open Source Project versions, including more than 3500 custom ROMs by Android device vendors. The researchers estimate that more than a billion Android devices are potentially vulnerable to Pileup attacks.
While we're waiting on a response by Google on the matter, we learned that the company has been made aware of the issue and has fixed one of the six vulnerabilities.