Android Update Vulnerabilities Could Allow Data Thieves On Phones

Weaknesses in the app update process on Google’s Android operating system could allow attackers to sneak malicious applications onto user devices.

The “pileup” (privilege escalation through updating) vulnerabilities would let an ostensibly nonthreatening app, with limited permissions, turn into a piece of data-stealing software after an update to the OS, according to researchers from Microsoft and Indiana University.

Android update danger

An app could gain permissions that were not previously available on the old OS version, such as access to voicemail, the researchers said.

They uncovered six  Pileup flaws within Android Package Manager Service, looking into 3,522 Android source code versions customised by Samsung, LG and HTC.

The researchers said exploits would have potentially dire consequences for users. Using a shared user ID (UID) across apps, they were able to show how a malicious app could substitute for system apps such as Google Calendar. This “package name trick” was found to work on the Android browser, allowing them to toy with cookies, cache, security configurations and bookmarks.

A malicious app could also get permission to access voicemails, user credentials, call logs, notifications of other apps and text messages.

Exploits could also be used to prevent the user from installing system critical apps, like Play Services, which is  used to update Google apps and apps from the company’s store.

“The malware can also gain complete control of new signature and system permissions, lowering their protection levels to “normal” and arbitrarily changing their descriptions that the user needs to read when deciding on whether to grant them to an app,” the paper read.

“Particularly, we found that customised OSes are highly susceptible to the Pileup attacks, due to a large number of system capabilities they bring in for each upgrade.”

They said they had informed Google and the relevant manufacturers of their findings and were working on patches.

The researchers created software called SecUP, which deploys a scanner on the user’s device to detect apps that would get malicious upgrades. The app can now be found on Google Play.

Google had not responded to a request for comment at the time of publication.

How well do you know Google’s secrets? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

34 mins ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

3 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

4 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

4 hours ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

21 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

22 hours ago