Researchers discover Android security flaw which renders more than a billion devices vulnerable

Researchers discover Android security flaw which renders more than a billion devices vulnerable

A team of researchers coming fromIndiana University and Microsoft announced a potentially critical,large-scale security flaw in the Android update process. Androidupdates remove or replace thousands of files on the smartphone'sstorage, with each of them having specific attributes and privilegeswithin its file system. While a new update is being installed, a bugthat researchers named "Pileup" could allow parasitemalicious apps to be "smuggled" with the software, posingas replacements for safe update files that are already present on thefile system and assigned permissions.



As the research report puts it, "athird-party package attribute or property, which bears the name ofits system counterpart, can be elevated to a system one during theupdating shuffle-up where all apps are installed or reinstalled, andall system configurations are reset. Also, when two apps from old andnew systems are merged as described above, security risks can also bebrought in when the one on the original system turns out to bemalicious." Apparently, current Android security solutionsdon't detect the infected files' activity as suspicious, and the enduser has no means to monitor when new permissions are granted tothem. Meanwhile, attackers can exploit the Pileup vulnerability toinject malicious JavaScript code that could grant them control ofuser data.



The team has discovered six Pileupvulnerabilities within the Android Package Management Service andconfirmed their presence in all Android Open Source Project versions,including more than 3500 custom ROMs by Android device vendors. Theresearchers estimate that more than a billion Android devices arepotentially vulnerable to Pileup attacks.



While we're waiting on a response byGoogle on the matter, we learned that the company has been made awareof the issue and has fixed one of the six vulnerabilities.



source: IndianaUniversity (PDF) via ZDNet, Techwalls

FEATURED VIDEO

41 Comments

1. valapsp

Posts: 565; Member since: Aug 12, 2011

watttttt?

11. itsdeepak4u2000

Posts: 3718; Member since: Nov 03, 2012

Yes, that too comes up with the updates given by the OEMs.

42. tasior

Posts: 265; Member since: Nov 04, 2012

Every system is vulnerable during update. It's logical. Update means changing system. If the update is infected it infects the system. That's why it's crucial, to get update from reliable source. The only difference between Android and Windows or IOS is that, Android allows You to be the judge, whether the source is reliable. Windows and IOS can be updated only by MS and Apple.

2. papss unregistered

Shocking...

31. Arte-8800

Posts: 4562; Member since: Mar 13, 2014

YES PAPSS your beloved platform is bulling and and insulting others while there w8 platform has more hackers and virus than android and OSX

41. sgodsell

Posts: 7459; Member since: Mar 16, 2013

Naturally Microsoft has to find this security flaw. We can all rest easy now knowing that Microsoft is always looking out for our best interests. Yeah, right. The world knows how trust worthy Microsoft is when it comes Android.

3. chunky1x

Posts: 270; Member since: Mar 28, 2010

Not really surprising to me. My Windows 7 have way way more security risk than Android, iOS and Windows 8 combined.

4. Troysyx

Posts: 181; Member since: Jul 30, 2012

Anyone else find it odd that it came from researches at "Indiana University and MICROSOFT"??

8. itsdeepak4u2000

Posts: 3718; Member since: Nov 03, 2012

Yeah, I thought the same.

9. PapaSmurf

Posts: 10457; Member since: May 14, 2012

Uh huh. That's sketchy.

17. Ashoaib

Posts: 3298; Member since: Nov 15, 2013

You got a point... why microsoft is researching on androids vulnerabilities??? microft should focus on its own os...

35. blade19

Posts: 65; Member since: Apr 29, 2011

yup...

5. networkdood

Posts: 6330; Member since: Mar 31, 2010

Oh no, perhaps I should get a Windows phone...hmmm, nm...how about an iphone? Yeah, ok, so every phone has a security risk...Phonearena just stop with these lame stories...

10. PapaSmurf

Posts: 10457; Member since: May 14, 2012

Not worried at all. Lookout Premium will get the job done.

15. networkdood

Posts: 6330; Member since: Mar 31, 2010

Tried it, never had a need for it and I have been using Android for 4 years now...

26. PapaSmurf

Posts: 10457; Member since: May 14, 2012

It's pre-installed on my Note 3 and I got the Premium suite for free. It actually works as it prevented me from downloading several APKs and mp3s that were Trojans and malware. Can't complain. :)

27. networkdood

Posts: 6330; Member since: Mar 31, 2010

hey, that is good, though - but, I never had those problems - but good to have that protection...

12. androiphone20

Posts: 1654; Member since: Jul 10, 2013

If you really thought that this report was looking to get you to buy a phone from another platform then you probably clicked on the wrong link. You take it to the most literal sense it's cray.

14. networkdood

Posts: 6330; Member since: Mar 31, 2010

Actually, this is exactly what the report is doing - look at the sources of the report....Luyi Xing , Xiaorui Pan , Rui Wangy , Kan Yuan and XiaoFeng Wang Indiana University Bloomington Email: fluyixing, xiaopan, kanyuan, xw7g@indiana.edu yMicrosoft Research Email: ruiwan@microsoft.com

20. Ashoaib

Posts: 3298; Member since: Nov 15, 2013

Please add ching ming chong from hongkong :))

22. networkdood

Posts: 6330; Member since: Mar 31, 2010

not up to me - ask Indiana U and microsoft :-)

34. Ashoaib

Posts: 3298; Member since: Nov 15, 2013

Probably Microsoft will add Bill Paid and Tallmer ;)

16. networkdood

Posts: 6330; Member since: Mar 31, 2010

This is the source of the article -http://www.informatics.indiana.edu/xw7/papers/privilegescalationthroughandroidupdating.pdf It is just another company creating a scare, and lo and behold Microsoft is involved...and that in itself is ironic....

6. androiphone20

Posts: 1654; Member since: Jul 10, 2013

Same as Dendroid?

21. Ashoaib

Posts: 3298; Member since: Nov 15, 2013

No dandruff :p

7. androiphone20

Posts: 1654; Member since: Jul 10, 2013

This is the part where Eric takes back his words

13. protozeloz

Posts: 5396; Member since: Sep 16, 2010

while in parer this sounds like a lot,it requires quite a few things to actually be pulled (like bypassing the package verification processes before the install) while this could be a security issue and should be addressed I don't see how the average user (read the one not flashing random roms) could be affected by it

18. Sniggly

Posts: 7305; Member since: Dec 05, 2009

While it sucks that the vulnerability exists in the first place (though it sounds like Microsoft was really working on finding vulnerabilities that they can use in attack ads against Android) it sounds like Google is already working on solutions to the problem. Someone once pointed out that while security has to think of every possible entry point in software, hackers only have to find one way in. I'd say for as popular Android is, it's impressive that vulnerabilities like these are found so rarely.

19. networkdood

Posts: 6330; Member since: Mar 31, 2010

If you go here:http://secureandroidupdate.org./ it is explained in greater detail and you can see who is behind this info...

24. Sniggly

Posts: 7305; Member since: Dec 05, 2009

Nice. They take an opportunity to plug their own "security" app. Not saying the problem doesn't exist, but between that and Microsoft's involvement, I smell a rat.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.