x PhoneArena is hiring! Reviewer in the USA

Researchers discover Android security flaw which renders more than a billion devices vulnerable

Posted: , posted by Luis D.

Tags :

Researchers discover Android security flaw which renders more than a billion devices vulnerable

A team of researchers coming from Indiana University and Microsoft announced a potentially critical, large-scale security flaw in the Android update process. Android updates remove or replace thousands of files on the smartphone's storage, with each of them having specific attributes and privileges within its file system. While a new update is being installed, a bug that researchers named "Pileup" could allow parasite malicious apps to be "smuggled" with the software, posing as replacements for safe update files that are already present on the file system and assigned permissions.

As the research report puts it, "a third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset. Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious." Apparently, current Android security solutions don't detect the infected files' activity as suspicious, and the end user has no means to monitor when new permissions are granted to them. Meanwhile, attackers can exploit the Pileup vulnerability to inject malicious JavaScript code that could grant them control of user data.

The team has discovered six Pileup vulnerabilities within the Android Package Management Service and confirmed their presence in all Android Open Source Project versions, including more than 3500 custom ROMs by Android device vendors. The researchers estimate that more than a billion Android devices are potentially vulnerable to Pileup attacks.

While we're waiting on a response by Google on the matter, we learned that the company has been made aware of the issue and has fixed one of the six vulnerabilities.

source: Indiana University (PDF) via ZDNet , Techwalls

  • Options

Want to comment? Please login or register.

Latest stories