If you've read a lot recently about the dangers of granting excessive permissions to mobile apps, you know that apps asking unnecessarily for personal information and control over device functions are best avoided -- or at least managed with tools you can download.
But your best practices for thwarting excessive apps permissions can be used against you by sneaky new malware that upgrades itself when an updated version of Android is installed on the device, researchers at Indiana University have discovered.
The way it works is the user downloads a seemingly harmless app that is "unprivileged," asking for few or even no permissions regarding device data or functionality. And everything is fine -- until the "pileup flaws" kick in.
"Our recent study on the current Android upgrade mechanism brings to light a whole new set of vulnerabilities pervasively existing in almost all Android versions, which allow a seemingly harmless malicious app running on a version of Android to automatically acquire significant capabilities without users' consent once they upgrade to newer versions!" writes the IU System Security Lab team, which calls this sneaky trick "privilege escalation through updating" (or pileup flaws).
Among the capabilities these apps can grant themselves as part of an Android update are new permissions not approved by the user, the ability to replace system-level apps with malicious ones, and the ability to inject malicious scripts into random web pages.
The IU team says it has discovered six pileup flaws in the base Android OS code, as well as versions of Android customized by Samsung, HTC and LG.
"Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are actually encouraged to update their systems," the team writes.
You're probably thinking, "No problem, I'll just avoid those sketchy third-party apps sites and stick to downloading from Google Play."
Sadly, the IU team reports that apps hiding pileup flaws can easily show up in Google Play. The researchers know this because they successfully published their own pileup apps on Google Play, along with the Amazon AppStore for Android and others (they immediately removed the apps upon approval).
With only 2.5% of Android phones having been upgraded to KitKat, the newest version of the mobile OS released more than four months ago, it's easy to see that malicious apps exploiting pileup flaws loom as a potentially large security problem for millions of Android users, many of whom are accessing enterprise data and networks from their potentially infected devices.
The IU team has developed an app called Secure Update Scanner that scans a device for malicious apps which exploit pileup flaws. Which is great -- if you know about it and download it. If you don't, your device is vulnerable to pileup flaws until a patch arrives. The IU team reports that Google said in early January that it has released a patch for pileup flaws to vendors.
Given how painfully slow the Android ecosystem processes updates, it could be weeks or months before the pileup patch is installed on most Android devices. Until then, I guess we'll just have to cross our fingers.
The IU team conducted its research in conjunction with Microsoft Research. It will present a paper on pileup flaws at the 35th IEEE Symposium on Security and Privacy.