Researchers discover Android security flaw which renders more than a billion devices vulnerable
A team of researchers coming fromIndiana University and Microsoft announced a potentially critical,large-scale security flaw in the Android update process. Androidupdates remove or replace thousands of files on the smartphone'sstorage, with each of them having specific attributes and privilegeswithin its file system. While a new update is being installed, a bugthat researchers named "Pileup" could allow parasitemalicious apps to be "smuggled" with the software, posingas replacements for safe update files that are already present on thefile system and assigned permissions.
The team has discovered six Pileupvulnerabilities within the Android Package Management Service andconfirmed their presence in all Android Open Source Project versions,including more than 3500 custom ROMs by Android device vendors. Theresearchers estimate that more than a billion Android devices arepotentially vulnerable to Pileup attacks.
While we're waiting on a response byGoogle on the matter, we learned that the company has been made awareof the issue and has fixed one of the six vulnerabilities.