Android bugs leave every smartphone and tablet vulnerable to privilege escalation

Researchers from Indiana University and Microsoft have discovered [Paper PDF] a new set of Android vulnerabilities that is capable to carry out privilege escalation attacks because of the weakness in its Package Management Service (PMS) that puts more than one billion Android devices at risk.

The researchers dubbed the new set of security-critical vulnerabilities as Pileup flaws which is a short for privilege escalation through updating, that waylays inside the Android PMS and intensifies the permissions offered to malicious apps whenever an android update occurs, without informing users.

[adsense size='1']

The research was carried out by Indiana University Bloomington researchers, Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang, with the help of Rui Wang of Microsoft.

Six different Pileup vulnerabilities have been found by the researchers within the Android PMS, those are present in all Android Open Source Project versions, including more than 3,500 customized versions of Android developed by handset makers and carriers.

"Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep," the researchers wrote. "This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws."

The researchers also found that by exploiting the Pileup vulnerabilities, a hacker can not only control the system permission and signature but also their settings. Moreover an attacker could use the malicious app to access and steal the device data, including, sensitive user information such as activity logs, user credentials, Contacts, Messages etc.

“A distinctive and interesting feature of such an attack is that it is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the “future” OS, which the current system will be upgraded to,” the researchers wrote. “More specifically, though the app running on a lower version Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version.”

In short, it means that, if an attacker sends the malicious app update and if the permission don’t exist in the older version of the android that is added to the new version; the malicious app will silently acquire the permissions and when the device is upgraded to the newer version, the pileup flaws will be automatically exploited.

"A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset," the researcher wrote. "Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious."

During the update, first the PMS will install all new and existing system apps and then will proceed to install third party apps from the old OS and during the installation of malicious app packed inside PMS, the device will recognize and silently grants all the permissions that malicious app requests, as it supposes that these permissions are with an existing app and have already been approved by the user.

“With the help of a program analyzer, our research discovered 6 such Pileup flaws within Android Package Manager Service and further confirmed their presence in all AOSP (Android Open Source Project) versions and all 3,522 source code versions customized by Samsung, LG and HTC across the world that we inspected, which strongly indicates their existence in all Android devices in the market.”

[adsense size='1']

Moreover detecting the critical flaws, the researchers have developed a new scanner app called SecUP that search for malicious apps already on a device designed to exploit Pileup vulnerabilities. Scanning tool inspects already installed Android application packages (APKs) on the device, in an attempt to identify those that will cause privilege escalations during an update, the paper stated.

The SecUP scanning tool consists of an automated vulnerability detector, a program verification tool for Java that discovers the Pileup flaws within the source code of different Android versions and a threat analyzer that automatically scans thousands of OS images.

[adsense size='2']

“The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers explained. “A Pileup flaw is detected once any of those constraints are breached.”

All the six vulnerabilities have been reported to Google by the researchers, from which one of it has been fixed by them.