Researchers coming from
Indiana University and Microsoft announced a potentially critical,
large-scale security flaw in the Android update process. Android
updates remove or replace thousands of files on the smartphone's
storage, with each of them having specific attributes and privileges
within its file system. While a new update is being installed, a bug
that researchers named "Pileup" could allow parasite
malicious apps to be "smuggled" with the software, posing
as replacements for safe update files that are already present on the
file system and assigned permissions.
As the research report puts it, "a
third-party package attribute or property, which bears the name of
its system counterpart, can be elevated to a system one during the
updating shuffle-up where all apps are installed or reinstalled, and
all system configurations are reset. Also, when two apps from old and
new systems are merged as described above, security risks can also be
brought in when the one on the original system turns out to be
malicious." Apparently, current Android security solutions
don't detect the infected files' activity as suspicious, and the end
user has no means to monitor when new permissions are granted to
them. Meanwhile, attackers can exploit the Pileup vulnerability to
inject malicious JavaScript code that could grant them control of
user data.
The team has discovered six Pileup
vulnerabilities within the Android Package Management Service and
confirmed their presence in all Android Open Source Project versions,
including more than 3500 custom ROMs by Android device vendors. The
researchers estimate that more than a billion Android devices are
potentially vulnerable to Pileup attacks.
While we're waiting on a response by
Google on the matter, we learned that the company has been made aware
of the issue and has fixed one of the six vulnerabilities.
No comments:
Post a Comment