Pileup flaws enable privilege escalation during Android updates, researchers find

Share this article:
Privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws.
Privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws.

Under the right conditions, simply updating any Android device can enable an attacker to escalate app privileges and carry out all sorts of malicious things, according to researchers with Indiana University Bloomington.

The privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws, which the researchers discovered exist in the Package Management Service (PMS) that enables Android devices to update.

“So basically, new apps installed on old versions of Android can request permissions for things that don't exist on the old version of Android, but will on new versions,” Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, told SCMagazine.com in an email correspondence.

Miller explained, “This doesn't cause problems on the old version. The problem is that when the user does someday update to the new version, Android just keeps all the permissions from before except now they actually work.” 

The end result is that the app attains system and signature permissions – it can control the settings too, such as protection levels – as well as can substitute for and block new system apps, contaminate data, steal user information, change security configurations, and prevent installation of critical system services, according to the researchers' paper.

Pileup flaws can be exploited on all official Android versions, and more than 3,000 customized versions, across thousands of device manufacturers, carriers and countries, the researchers determined, explaining that they developed a service capable of detecting apps configured to exploit Pileup flaws.

“The fix would be to not allow these types of "new" permissions to carry over on update,” Miller said. “As a non-technical Android user, the best you can do is to only download trusted apps. If you are technically minded, when you upgrade Android, you may want to compare app permissions before and after upgrade.”

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.