Pileup flaws enable privilege escalation during Android updates, researchers find

Share this article:
Privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws.
Privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws.

Under the right conditions, simply updating any Android device can enable an attacker to escalate app privileges and carry out all sorts of malicious things, according to researchers with Indiana University Bloomington.

The privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws, which the researchers discovered exist in the Package Management Service (PMS) that enables Android devices to update.

“So basically, new apps installed on old versions of Android can request permissions for things that don't exist on the old version of Android, but will on new versions,” Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, told SCMagazine.com in an email correspondence.

Miller explained, “This doesn't cause problems on the old version. The problem is that when the user does someday update to the new version, Android just keeps all the permissions from before except now they actually work.” 

The end result is that the app attains system and signature permissions – it can control the settings too, such as protection levels – as well as can substitute for and block new system apps, contaminate data, steal user information, change security configurations, and prevent installation of critical system services, according to the researchers' paper.

Pileup flaws can be exploited on all official Android versions, and more than 3,000 customized versions, across thousands of device manufacturers, carriers and countries, the researchers determined, explaining that they developed a service capable of detecting apps configured to exploit Pileup flaws.

“The fix would be to not allow these types of "new" permissions to carry over on update,” Miller said. “As a non-technical Android user, the best you can do is to only download trusted apps. If you are technically minded, when you upgrade Android, you may want to compare app permissions before and after upgrade.”

Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.