All Android devices at risk of being hacked when installing OS system updates

You expect your apps and personal data to still be in your Android after an operating system upgrade, but the updating mechanism that allows that has a new class of privilege escalation vulnerabilities, which security researchers warn “pose serious threats to billions of Android users” who update their systems. Basically flaws in Android's program logic to install updates could allow a bad app to gain godlike permission to take control of your Android device, from hijacking your Google account, sending text messages, accessing voicemail, formatting removable storage, to stealing your passwords for a banking site. When talking about the flaws that affect “all the Android devices worldwide,” the researchers used words like dangerous, dire and devastating.

While OS upgrades often close security holes, a team of researchers from Indiana University and Microsoft Research explained that vulnerabilities in the Android Package Management Service (PMS) will allow a “seemingly harmless malicious app” to “automatically acquire significant capabilities without users’ consent once they upgrade” to a newer version of Android." They call the vulnerabilities Pileup flaws, for privilege escalation through updating, and identified six such flaws in Android OS code. This is the first time anyone has “systematically studied the security hazards introduced by the vulnerable program logic for installing” Android updates or patches. They will present their research, “Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating” [pdf] at the IEEE Security and Privacy symposium in May.

“A distinctive feature of the threat is that the attack is not aimed at a vulnerability in the current system,” wrote the researchers. “Instead, it exploits the flaws in the updating mechanism of the ‘future’ OS, which the current system will be upgraded to.” Successfully exploiting these logic flaws when you upgrade to a newer OS could have “devastating consequences.”

Their research “confirmed the presence of the issues in all AOSP (Android Open Source Project) versions and 3,522 source code versions customized by Samsung, LG and HTC across the world.” They “further conducted a measurement study over 3,549 factory images from Google and Samsung, and discovered tens of thousands of attack opportunities across different Android versions, countries, carriers and vendors, each of which enables a knowledgable adversary to acquire system capabilities automatically during an upgrade.”

What kind of attacks? The researchers wrote [pdf]:

As examples, on various versions of Android, an upgrade allows the unprivileged malware to get the permissions for accessing voicemails, user credentials, call logs, notifications of other apps, sending SMS, starting any activity regardless of permission protection or export state, etc.; the malware can also gain complete control of new signature and system permissions, lowering their protection levels to “normal” and arbitrarily changing their descriptions that the user needs to read when deciding on whether to grant them to an app; it can even replace the official Google Calendar app with a malicious one to get the phone user’s events, drop Javascript code in the data directory to be used by the new Android browser so as to steal the user’s sensitive data, or prevent her from installing critical system apps such as Google Play Services. 

The researchers have posted video demos “which show how a seemingly harmless app can exploit Pileup flaws to cause various bad consequences, including stealing all of your Google Voice messages, hacking your Google account, stealing your passwords for banking sites, etc., once you upgrade to newer version of Android.”

They did responsibly disclose the vulnerabilities and Google did address one of six flaws and roll out the patch to vendors. But who knows when it might be pushed out to your device? The other five flaws have been given a “tracking number.”

“OS updates are very important or even critical if they include urgent fixes for security bugs,” wrote the researchers. Yet “with Pileup flaws, every OS update offers bad guys opportunities to attack Android users.” You need to install Android system updates, but your Android device could be "hacked" when you install the updates…so what are you supposed to do? Luckily they developed a free security app, Secure Update Scanner, which should be run before every system update to detect any malicious apps that could exploit Pileup flaws.

Secure Update Scanner for Android detects apps that can exploit Pileup flaws

I encourage you to read “Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating” [pdf] by Luyi Xing (Indiana University), Xiaorui Pan (Indiana University), Rui Wang (Microsoft Research), Kan Yuan (Indiana University) and XiaoFeng Wang (Indiana University). At least read the condensed version on the researchers’ site.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.