Six new Android Pileup Flaws leave every smartphone and tablet vulnerable

We think that mobile operating systems are secure but new bugs uncovered in Google's mobile platform shows how every Android-powered device – more than a billion devices in all – are vulnerable to malware thanks to privilege escalation issues.

Researchers from Indiana University and Microsoft have published a paper that describes a new class of Android vulnerabilities called Pileup flaws. Pileup, which is short for privilege escalation through updating, increases the permissions offered to malicious apps once Android is updated, without informing the user.

Six different Pileup vulnerabilities have been found by the researchers within the Android PMS, those are present in all Android Open Source Project versions, including more than 3,500 customized versions of Android developed by handset makers and carriers.

The research was carried out by Indiana's Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang, with help from Rui Wang of Microsoft Research.

What's going on in “Pileup” – privilege escalation through updating – is this: some permission settings offered in newer Android versions aren't present in older versions. A malicious app – one that would raise alarms in a newer version – can be installed in an older version without problems. It can't ask for dangerous permissions, because those permissions don't exist.

However, because Android tries not to break apps during the update process, an update on the infected device will automatically assign the escalated permissions to the malicious app, without alerting the user.

"Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep," the researchers wrote. "This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws."
"Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version," the researchers wrote.

In other words, the attacker compares API calls in a late version of Android, and defines that system permission in an app designed for installation on an older version. By way of example, they write, permission.ADD_VOICEMAIL would be ignored in Android 2.3.6 because it doesn't exist – that permission was added in 4.0.4. The app would look benign until the user upgraded to 4.0.4, at which point it becomes exploitable.

The researchers have also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The scanner verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints.

Google is aware of the flaw and is likely to fix it in the next version of Android.