Flaws in Android update mechanism could turn apps into malware
Posted on 24.03.2014
A group of researchers from Indiana University and Microsoft Research have unearthed six Android vulnerabilities that can be exploited to turn apparently harmless apps into malicious ones when a user upgrades the OS.

"People tend to believe that an OS upgrade makes their mobile devices much securer [sic] and more reliable, because the new OS version presumably fixes security loopholes and enhances the systemís security protection," the researchers point out.

But these newly discovered vulnerabilities - dubbed Pileup (privilege escalation through updating) by the researchers - exist in almost all Android versions, and allow "unprivileged" apps to automatically acquire potentially malicious capabilities - including all new permissions added by the newer version of the OS - without the usersí consent.

"The consequences of the attacks are dire, depending on the exploit opportunities on different Android devices, that is, the nature of the new resources on the target version of an update," they note.

"As an example, on various versions of Android, an upgrade allows the unprivileged malware to get the permissions for accessing voicemails, user credentials, call logs, notifications of other apps, sending SMS, starting any activity regardless of permission protection or export state, etc," they explained.

"The malware can also gain complete control of new signature and system permissions, lowering their protection levels to ďnormalĒ and arbitrarily changing their descriptions that the user needs to read when deciding on whether to grant them to an app; it can even replace the official Google Calendar app with a malicious one to get the phone userís events, drop Javascript code in the data directory to be used by the new Android browser so as to steal the userís sensitive data, or prevent her from installing critical system apps such as Google Play Services."

They proved their point by creating apps that exploit the aforementioned flaws and successfully submitted them to a variety of Android app markets, including Google Play.

But they have also created a security app that checks whether the apps already installed on the device will acquire malicious capabilities once the user upgrades his or her Android installation. The app is named Secure Update Scanner, and is available for download on Google Play, Amazon AppStore for Android, GetJar, SlideMe, and 360 Mobile Assistant.

The researchers have also notified Google of the flaws, and one has already been patched. But even if all get patched immediately, the Android ecosystem is painfully slow when it comes to pushing out and adopting new updates, so the app is still your best bet.









Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //