A new class of security flaw that is "highly suspected" to affect all of the almost one billion Android devices in existence has been discovered by a research team from Indiana University and Microsoft.
The so-called ‘Pileup' flaw lurks inside the Android Package Management Service (PMS) which handles the many updates to the Android operating system. It allows malware installed on an Android device to grab new privileges whenever an update occurs and steal the user's sensitive data.
Criminals could insert JavaScript code to hijack the user's credentials, access their voicemails and call logs, send an SMS, change their security configuration, and start any activity regardless of permission protection.
“The Pileup vulnerabilities are critical, highly pervasive and also fundamental,” the research team said.
The opportunity to exploit the flaw is also significant, the team said, as there have been 19 official Android version updates since September 2008 – one every three months – while phone providers create versions for multiple carriers and countries, with Samsung so far releasing more than 10,000 different Android versions worldwide.
The researchers said they “highly suspect that all Android devices are vulnerable to our attacks”.
“We systematically confirmed the presence of those security flaws on all Android official versions and all 3522 source code versions customised by Samsung, LG and HTC across the world that we inspected," they said.
"Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries. The consequences of the attacks are dire.”
The Indiana University/Microsoft research team reported the findings to key Android device vendors such as Google, and are helping them fix the issues. They have also developed their own Pileup detection service, called SecUP.
The researchers said the Google security team had come up with a fix for the permission bug and released it to partners. Google is also working on solutions for the other bugs.
Malware intelligence analyst at Malwarebytes Josh Cannell said the threat was important because it could allow malware that's pre-installed on a device to acquire new privileges via a system upgrade.
“Obviously this is a big issue, as you don't expect, nor desire, malware to be ‘upgraded' when you're only wanting to update the OS," he said.
He said the open and customised nature of Android could sometimes be a double-edged sword.
"Custom ROMs (new Android versions) are great, but can they always be trusted? Make sure you do your homework before you consider using one, as it may have malicious apps with it," he said.
"Also, most custom ROMs, if not all, will require users to root their phones, and if not done properly, this could leave a phone ‘bricked'.” Users should also install mobile anti-malware software, he said.
Another Android flaw
Meanwhile, security firm Trend Micro has revealed another Android security flaw in the system that controls the data that apps can access.
In a 20 March blog, Trend Micro mobile threats analyst Weichao Sun said malicious software that is already installed on an Android device could hijack the ‘permissions' granted to any legitimate apps installed after it – enabling the malware to access the supposedly protected data within the legitimate app.
Trend said it has found almost 10,000 apps at risk of this vulnerability and while refusing to name names, said it found that “a popular online store leaks its online browsing history, a popular chat app leaks the user's in-app purchases, and a popular social network can have fake messages inserted via its app”.
Trend has informed Google of the problem, and Weichao Sun warned: “Developers should not rely exclusively on the protection levels when their activities/receivers/services/providers are accessed. Several functions such as getCallingUid and getCallingPackage are provided by the operating system, and can be used to identify any apps requesting the above and implement access control as needed.”
