Support NeoGAF

[strikeselect]

http://www.techrepublic.com/article/beware-of-danger-lurking-in-android-phone-updates/

Researchers have determined that the Android update process has a vulnerability that allows permission elevation without user knowledge.

Researchers from Indiana University and Microsoft Research have found updating software to remove vulnerabilities is not always what it seems, especially when it comes to the Android operating system. This paper, to be presented by the research team at the Institute of Electrical and Electronics Engineers' Security and Privacy Symposium next month, sheds light on security issues resulting from the way Android is updated, more specifically how Android's Package Management Service (PMS) works.

In the paper, the research team said, "We confirmed the presence of the issues in all Android Open Source Project versions and 3,522 source-code versions customized by Samsung, LG, and HTC. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are encouraged to update their systems."

Once the malware has gained access to one of the Pileup flaws, it is possible that attackers could exploit the following activities. The ones that are available to the attackers depend on the version of Android OS the device is running after being updated:

Obtain permission to access voicemails, user credentials, call logs and notifications of other apps .
Send SMS.
Start any activity regardless of permission protection or export state.
Replace official Google Calendar app with a malicious one to get the phone user's event notifications.
Drop JavaScript code in the data directory to be used by the new Android browser so as to steal the user's sensitive data.
Prevent users from installing critical system apps such as Google Play Services.

Since the research team was able to load the test malware into Google Play, relying on Google's Bouncer was not acceptable to them. To that end, the team developed Secure Update Scanner:

Wang mentioned, "The app is powered by a vulnerability dataset with over 2 million records we collected through analyzing thousands of Android factory images. It is important for people who own Android devices to scan their systems using the app before clicking on the update button."

When asked about existing antimalware, Wang said he doubted that it would detect malware exploiting the Pileup flaws. He said this threat was new, complicated and context-dependent.

video demo of exploit: https://www.youtube.com/watch?v=FyIujYPO3nw
app to check for pileup malware: https://play.google.com/store/apps/details?id=com.iu.seccheck

 

[Social]

Does the check app change a picture to another one?