Android vulnerabilities in the way the OS handles updates have been detected, putting around one billion devices at risk.
According to a report by the Hacker News, researchers from Indiana University and Microsoft have discovered a new set of Android vulnerabilities that is capable to carry out privilege escalation attacks because of the weakness in its Package Management Service (PMS).
Named the Pileup flaws, there are six different vulnerabilities within the Android PMS and are present in all Android Open Source Project versions, including more than 3,500 customized versions of Android developed by handset makers and carriers.
The researchers also found that by exploiting the Pileup vulnerabilities, a hacker can not only control the system permission and signature but also their settings. Moreover an attacker could use the malicious app to access and steal the device data, including, sensitive user information such as activity logs, user credentials, Contacts, Messages etc.
“A distinctive and interesting feature of such an attack is that it is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the ‘future’ OS, which the current system will be upgraded to,” the researchers wrote. “More specifically, though the app running on a lower version Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version.”
All the six vulnerabilities have been reported to Google by the researchers, from which one of it has been fixed by them.
Commenting, Michael Sutton, VP security research at Zscaler, said: “The ‘pileup’ flaws detailed by the researchers identify vulnerabilities unique to Android which permit privilege escalation when the operating system is updated. Fortunately, the scope and timing of the flaws is limited. An attacker would be restricted to newly added privileges in a subsequent version of the Android operating system and the attack would occur at a predictable time – during the update process.
“Unfortunately, the attack surface is broad, with virtually all vendor specific Android implementations affected. The issue is further complicated by the fact that Android is a very fractured operating system, with many versions in circulation. Therefore, even once Google addresses the flaws, they are likely to live on for some time.
“Due to the fact that apps can be scanned to determine if they are designed to take advantage of pileup flaws, Google, beyond fixing the problems outright, can and should also be scanning apps to ensure that they are not targeting pileup flaws before releasing them into the Google Play store.”
