Under the right conditions, simply updating any Android device can enable an attacker to escalate app privileges and carry out all sorts of malicious things, according to researchers with Indiana University Bloomington.
The privilege escalation is made possible due to a new type of vulnerability known as Pileup flaws, which the researchers discovered exist in the Package Management Service (PMS) that enables Android devices to update.
“So basically, new apps installed on old versions of Android can request permissions for things that don't exist on the old version of Android, but will on new versions,” Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, told SCMagazine.com in an email correspondence.
Miller explained, “This doesn't cause problems on the old version. The problem is that when the user does someday update to the new version, Android just keeps all the permissions from before except now they actually work.”
The end result is that the app attains system and signature permissions – it can control the settings too, such as protection levels – as well as can substitute for and block new system apps, contaminate data, steal user information, change security configurations, and prevent installation of critical system services, according to the researchers' paper.
Pileup flaws can be exploited on all official Android versions, and more than 3,000 customized versions, across thousands of device manufacturers, carriers and countries, the researchers determined, explaining that they developed a service capable of detecting apps configured to exploit Pileup flaws.
“The fix would be to not allow these types of "new" permissions to carry over on update,” Miller said. “As a non-technical Android user, the best you can do is to only download trusted apps. If you are technically minded, when you upgrade Android, you may want to compare app permissions before and after upgrade.”
