Index

  • Index

Android Update Service Weakness Puts All Devices At Risk For Privilege Escalation

01:49 Tuesday Mar 25, 2014

            

Researchers say they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers.

Mobile operating systems seem to be pretty secure, but weaknesses in the app update process uncovered in Google's mobile platform shows how every Android-powered device – more than a billion devices in all – are vulnerable to malware thanks to privilege escalation issues.

Researchers from Indiana University and Microsoft published a paper that describes a new class of Android vulnerabilities called Pileup flaws. Pileup, which is short for privilege escalation through updating, increases the permissions offered to malicious apps once Android is updated, without informing the user.

"Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep," the researchers wrote. "This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws."

"Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version," the researchers wrote.

The problem, to put it simply, is that for the sake of convienience the Android user interface doesn't pop up any prompts pointing out the new permissions, but instead assigns them automatically in the background without giving the user any say in the matter.

The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers.

The researchers have also introduced a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The scanner verifies the source code of the Package Management Service (from different Android versions) to identify any violation of a set of security constraints."

All of the issues have been reported to Google, and the company has already patched one of the six vulnerabilities.

 

< Back

    Add your comment

    We aim to have healthy debate. But we won't publish comments that abuse others

    1200 characters left

     

     

    LATEST NEWS

     
      

    © copyright 2013 Website News. All rights reserved.

     

    SECTIONS

    ABOUT

    SUBSCRIBE

     

    Website News is for and about the website design, development, marketing industry. We will endeavor to bring you up-to-date news and information to help you in your work as well as give you useful information and tips for your clients and their businesses.

    We are always keen for you to submit any information you find from elsewhere, or about your business, that you feel will be relevant.

     

     

     

     

    Contact Us:

    For advertising enquiries or to submit a story, please email us at: editor@websitenews.co

     

    Login

    Website News

    Sign-up to Website News and create your universal Woogloo ID

    Your details

    Your login details

    Your address


    Is your address not being found?

    Company

    Company address

    Yes No


    To register on the Website News website you either need to use your
    exisitng Woogloo ID or create a new one (see below).

    Sign Up

    Why sign up?

    • Get access to Registered User's priviledges, which may include hidden pages, special features and special pricing, if they exist, on this website.
    • Get access to all sites powered by Woogloo V3 without having to enter your details everytime.

    Login Error

    Forgot your password?

    Enter your email address below and click 'Reset Password' Button




    What is a Woogloo ID

    Logging in...