Categories

Mobile Security

Research Paper Shows Upgrading Android Could Upgrade Malware

Researchers at Indiana University Bloomington and Microsoft released a paper detailing a new set of vulnerabilities in the Android Operating System dubbed Pileup flaws; where Pileup means “privilege escalation through updating”.

These flaws exist within Android’s Package Management System (PMS) and could allow malware to “upgrade” its privileges simultaneously with a system upgrade.

“Our research brought to light a new type of security-critical vulnerabilities, called Pileup flaws, through which a malicious app can strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system”

The paper goes on to say they confirmed the existence of the Pileup flaws on every official version of Android and on over 3000 custom versions. In addition, the paper documents several of the exploits used against the Pileup vulnerabilities.

Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries.

While this may sound scary, big vulnerabilities have appeared on Android in the past.

Last July, for example, Bluebox Security reported on the Master Key vulnerability that affected some 99 percent of Android devices. The flaw was quickly addressed in many custom versions of android, like CynaogenMod, however, it took some time for carriers to get it fixed, likely due to fragmented updates.

However, when news of big name security flaws like this are released, it tends to pose the question: is Android really secure?

Well, as for securing the Pileup vulnerabilities, the same researchers have already done that work, as seen in their paper.

We also developed a new detection service, called SecUP, which deploys a scanner on the user’s device to capture the malicious apps designed to exploit Pileup vulnerabilities.

According to the paper, SecUP provides a scanner app that looks at Android packages (APKs) and determines if privilege escalation will occur during an update. With this information, the program builds a database that records all of the Pileup vulnerability opportunities.

Architecture of SecUP, the service designed to mitigate Pileup vulnerabilities.

Architecture of SecUP, the service designed to mitigate Pileup vulnerabilities.

Even still, despite the availability of immediate mitigation, it seems doubtful this will be enough to silence the numerous critics of Android’s security in the days to come.

Android, while remaining the most used mobile OS worldwide, is often criticized for its “openness”, allowing users to load custom versions of the OS onto their devices, called roms, that improve functionality and add features.

Such modifications themselves usually require users to exploit their devices to acquire “root”, which in itself could be considered a possibly security risk.

In addition, Android is often cited for its slow updates due to fragmentation, although some of this should be addressed with Google’s new updating strategy.

But despite the claims against it, Android is still beloved by many for the very same reasons, and many users gladly choose Android over its more restrictive counterparts, such as Windows Mobile or Apple’s iOS.

Whichever side of the fence you’re on, news of this vulnerability shouldn’t frighten Android users too much; as long as they’re practicing safe habits with their device, they shouldn’t be exposed to much, if any, malware.

To read the entire research paper, click here. As always, please list any thoughts and comments below.

_________________________________________________________________
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and malware analysis. Twitter: @joshcannell


One thought on “Research Paper Shows Upgrading Android Could Upgrade Malware

  1. Joni Salminen says on March 21, 2014 at 12:38 am :

    Popular superuser software probably use this to survive system upgrade. Maybe developer made good decision keeping that software closed source IF it use this very same method.

Leave a Reply

Subscribe to our YouTube Channel