Researchers discover Android security flaw which renders more than a billion devices vulnerable

Researchers discover Android security flaw which renders more than a billion devices vulnerable

A team of researchers coming fromIndiana University and Microsoft announced a potentially critical,large-scale security flaw in the Android update process. Androidupdates remove or replace thousands of files on the smartphone'sstorage, with each of them having specific attributes and privilegeswithin its file system. While a new update is being installed, a bugthat researchers named "Pileup" could allow parasitemalicious apps to be "smuggled" with the software, posingas replacements for safe update files that are already present on thefile system and assigned permissions.

As the research report puts it, "athird-party package attribute or property, which bears the name ofits system counterpart, can be elevated to a system one during theupdating shuffle-up where all apps are installed or reinstalled, andall system configurations are reset. Also, when two apps from old andnew systems are merged as described above, security risks can also bebrought in when the one on the original system turns out to bemalicious." Apparently, current Android security solutionsdon't detect the infected files' activity as suspicious, and the enduser has no means to monitor when new permissions are granted tothem. Meanwhile, attackers can exploit the Pileup vulnerability toinject malicious JavaScript code that could grant them control ofuser data.

The team has discovered six Pileupvulnerabilities within the Android Package Management Service andconfirmed their presence in all Android Open Source Project versions,including more than 3500 custom ROMs by Android device vendors. Theresearchers estimate that more than a billion Android devices arepotentially vulnerable to Pileup attacks.

While we're waiting on a response byGoogle on the matter, we learned that the company has been made awareof the issue and has fixed one of the six vulnerabilities.

source: IndianaUniversity (PDF) via ZDNet, Techwalls


Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless