Android bugs leave every smartphone and tablet vulnerable to privilege escalation

Android bugs leave every smartphone and tablet vulnerable to privilege escalation

Summary: Six new bugs uncovered in Google's mobile platform shows how every Android-powered device – more than a billion devices in all – are vulnerable to malware thanks to privilege escalation issues.


On the whole, mobile operating systems seem to be pretty secure, but new bugs uncovered in Google's mobile platform shows how every Android-powered device – more than a billion devices in all – are vulnerable to malware thanks to privilege escalation issues.

Researchers from Indiana University and Microsoft published a paper that describes a new class of Android vulnerabilities called Pileup flaws. Pileup, which is short for privilege escalation through updating, increases the permissions offered to malicious apps once Android is updated, without informing the user.

"Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep," the researchers wrote. "This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws."

"Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version," the researchers wrote.

The problem, to put it simply, is that for the sake of convienience the Android user interface doesn't pop up any prompts pointing out the new permissions, but instead assigns them automatically in the background without giving the user any say in the matter. 

The researchers claim to have discovered six different Pileup vulnerabilities within the Android Package Management Service (PMS), and have confirmed that these vulnerabilities are present in all Android Open Source Project versions, along with more than 3,500 customized versions of Android developed by handset OEMs and carriers. In total, the researchers claim that this leaves more than a billion Android devices vulnerable to a Pileup attack.

"A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset," the researcher wrote. "Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious."

The researchers have also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The scanner verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints."

All of the issues have been reported to Google, and the company has already patched one of the six vulnerabilities.

Topics: Mobility, Android, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Something something

    Apple reference....
    • Phew got it out the way!


      This is an interesting attack vector. And good approach with the scanner! Good work researchers, it'll be interesting to see how google adapt the update process to patch it.
      • What update process?

        It isn't like Google has a valid process for updating all the countless versions of android running around.
        • You're right that it's open source.

          But in the world of opensource everyone tales from upstream.

          Google is the starting point, ubuntu's debian, mint's ubuntu, pc-bsd's freebsd.

          The changes google make to their OS update process will have the biggest effect across android. Depending on steps taken it is entirely possible that all downstream releases just use googles solution.
          • when will that happen?

            what google does right now will effect less than a single percent of existing devices.

            maybe in the future google does something that changes the way updates roll out to existing devices, but that is little more than talking about a theory right now.

            until then, the vast majority of android devices will never see any updates to resolve security flaws. that is just the way it is.
          • Whenever Play is Updated?

            Except Google will probably update Google Play's scanner to find, remove and reject. Google Play will scan phones with its malware scanner and not just the storefront.

            This was implemented so vulnerability updates wouldn't necessarily require an OS update to fix right now.
          • Phones that don't get updates aren't vulnerable

            Note that if there isn't a OS update for the phone, it's not going to be vulnerable to this escalation.

            If "Emacho" is correct, then most people have nothing to worry about. The maintenance updates to Android that don't change the major or first minor version number do not, to my knowledge, include new permissions to be allocated.

            I have read the paper. I think their choice of wording is deliberatly inflamatory, but this is a vulnerability that can, and will, be fixed. It is not a structural flaw in the OS, it's a flaw in the OS update process.
          • This isn't even a security issue, it's a choice

            When a major software update comes out, you don't want the OS to prompt you for every app that requests a permission available on the new OS but not the old one. Developers always code for a new OS if they deem it feasible, so this is something basically EVERY developer already does!

            This issue will be nonexistent on Nexus devices (both the developer scenario I just mentioned, and the bug in the article) because new permissions are released with new Android releases which are synonymous with Nexus devices.

            All this study proves is that it CAN be used for malicious purposes. Obviously.
        • Actually

          This is specifically because google takes background control to push code to android, through the closed source google spyware/market layer...
          The sooner people lose the illusion that android is open source the sooner they will realize what they really have installed.
          It's an open source base with a closed source, proprietary spyware layer, designed from the ground up to be crippled without it, so almost anyone who roots flashes the closed source google app layer right back on giving it background system privileges that bypass the permission model people are familiar with.
          This is specifically rationalized that it allows google to silently push code updates in the background without user interaction, so it has nothing to do with updating the actual android version but google's own background code pushing spyware layer, which of course they can update all the countless versions running around. That's the point.
          • Wow

            I like your theory. Though I am on nexus 5, Iske what You are saying about Google Spyware layer etc. I stopped using gmail few months back and as soon as Lumia has good share of apps, I will jump to lumia. Anyways just out of curiosity sake which platform is best form your point? Windows, android or ios?
          • I'm partial to IOS right now

            The sandboxing is great, quality is pretty good and they are more honest than most.
        • Wrong.

          Google have a google play service on android that they can use to patch or change anything they want.. The fact that they don't make a habit of it is a good thing I think.. The whole reason they are slowly moving in that direction is because of the whole fragmentation thing.. This way it won't matter what android version you have. The services and apps that run on it are all separate from the os version and updatable.. Soon there will be no fragmentation or any significance. Google started this process in ICS from memory.
      • so lets get this right

        If a Malware that is already on your stop right there.
        We are worried about escalated privileges of malware that is already installed but the fact that it is already installed is not the real problem?
        Am I missing something here or are they saying the doorlock is vulnerable once the thieves are inside the building?
        Yeh we want thieves to behave properly once they get in right?
        • something like that, but slightly different

          the app by most measures isn't malware until the security flaw in the update process elevates its security permissions.

          I doubt google vetting process takes that into account.
          • Proof

            Where is the proof that Google's App Store does not take these kinds of update security issues up in the vetting process? In other words, did the researchers find any apps that actually do this and are in the Google Store?

            Note: I think Android has some serious flaws when it comes to updates to its OS and Google needs to take back control from the carriers and handset makers and stamp in the licensing (even if its free) that devices need to be updated to the latest OS within x amount of time for 4 years or they break their licensing agreement. Android is just a mess with fragmentation. I buy Nexus and mod but most people have no idea what they are buying.
            Rann Xeroxx
          • That is why I said "doubt", as in it is just a theory

            However, it is a pretty good theory.

            Since the security flaw exists in the core operating system it doesn't make any sense for Google to scan for these types of exploits.... otherwise they would have fixed the problem in the operating system first?

            I'm not saying that is proof, but I can't say I have much faith in Googles ability to vet much these days.
        • Not a big deal

          Yeah kind of. If you have an app exploiting a new permission not yet known but will be in the next Android update then an app will already have those currently unknown permissions accepted.

          As long as the next ASOP update addresses this then it shouldn't be a problem. Those devices that never will get another OEM update don't have to worry because the app will never be able to use those new permissions. This wasn't found in the wild either.
          • The point is...

            The google app layer silently updates code in the background without allowing user interaction or control. This is part of the closed source spyware layer people flash back on after rooting. It has nothing to do with AOSP.
          • But GPS cannot affect permissions.

            This issue has nothing to do with Google Play Services. GPS can NOT alter system-level permissions.

            I'm not sure where you're getting this information, but GPS (the background layer) is just another APK with already elevated permissions. It cannot affect core system areas, and hence has nothing do with this issue.

            This issue also will not affect Nexus devices, as new permissions aren't known for these malicious apps to exploit until Android is released to the public. Which is synonymous with updates to Nexus devices. The timeframe just doesn't work for these hackers.
          • Are you still sure...

            GPS cannot update apps or alter their privileges in the background...???