Security Flaw Found in Android OS Upgrade Procedures
Published on: 21st Mar 2014
By: Ian Mansfield
A security flaw has been revealed in Android smartphones that can allow malicious code to be activated at a later date when the smartphone OS is next upgraded.
A team of researchers found that if a user downloaded an app that seemed at the time to have limited access to the handset facilities, these privileges can be changed at a later date, without the users knowledge.
The key here is that a seemingly innocent app could be downloaded, and at a later date, when the user is upgrading the OS in the smartphone, hidden malware can be activated without the user knowing.
The researchers, from the System Security Lab at Indiana University and at Microsoft Research call these vulnerabilities Pileup flaws (privilege escalation through updating).
A distinctive feature of the threat is that the attack is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the future OS, which the current system will be upgraded to.
For example, let us assume that Android in the future adds a new permission for accessing text messages. If the app developed today happens to add support for that still-unreleased feature, then when the OS is later upgraded, the app can automatically take advantage of the new feature, without explicit permission from the user.
The exploit requires an understanding of forthcoming Android OS updates, but that would be routine for any competent malware coder.
Google says that it has patched the problem, although it can take time for those OS upgrades to work their way through to the handset vendors, and then to the end users -- if at all.
On the web: SecureAndroidUpdate