Pileup flaws enable privilege escalation during Android updates, researchers find

Share this article:
Privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws.
Privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws.

Under the right conditions, simply updating any Android device can enable an attacker to escalate app privileges and carry out all sorts of malicious things, according to researchers with Indiana University Bloomington.

The privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws, which the researchers discovered exist in the Package Management Service (PMS) that enables Android devices to update.

“So basically, new apps installed on old versions of Android can request permissions for things that don't exist on the old version of Android, but will on new versions,” Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, told SCMagazine.com in an email correspondence.

Miller explained, “This doesn't cause problems on the old version. The problem is that when the user does someday update to the new version, Android just keeps all the permissions from before except now they actually work.” 

The end result is that the app attains system and signature permissions – it can control the settings too, such as protection levels – as well as can substitute for and block new system apps, contaminate data, steal user information, change security configurations, and prevent installation of critical system services, according to the researchers' paper.

Pileup flaws can be exploited on all official Android versions, and more than 3,000 customized versions, across thousands of device manufacturers, carriers and countries, the researchers determined, explaining that they developed a service capable of detecting apps configured to exploit Pileup flaws.

“The fix would be to not allow these types of "new" permissions to carry over on update,” Miller said. “As a non-technical Android user, the best you can do is to only download trusted apps. If you are technically minded, when you upgrade Android, you may want to compare app permissions before and after upgrade.”

Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.