Security

Beware of danger lurking in Android phone updates

Researchers have determined that the Android update process has a vulnerability that allows permission elevation without user knowledge.

Researchers from Indiana University and Microsoft Research have found updating software to remove vulnerabilities is not always what it seems, especially when it comes to the Android operating system. This paper, to be presented by the research team at the Institute of Electrical and Electronics Engineers' Security and Privacy Symposium next month, sheds light on security issues resulting from the way Android is updated, more specifically how Android's Package Management Service (PMS) works.

In the paper, the research team said, "We confirmed the presence of the issues in all Android Open Source Project versions and 3,522 source-code versions customized by Samsung, LG, and HTC. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are encouraged to update their systems."

The vulnerability

The researchers determined Android allows installed applications, if so designed, to obtain additional capabilities without the owner's consent, just by updating the phone's operating system to a newer version. The key is the phrase, "if so designed." In order to test the theory, the research team led by Dr. XiaoFeng Wang, head of Indiana University's Security Systems Lab, created malware that will leverage the update vulnerability.

As to how this malware can be introduced to Android mobile devices, Wang said the team performed proof of concept tests by submitting several malware-laden apps to Android app stores. Wang said, "We tested by uploading malware to Google Play, Amazon App Store and others; and found the malware was approved for publishing by those stores."

Wang said, "We immediately withdraw the malware once approved to avoid it being downloaded by real users."

The malware, once downloaded and installed on the Android device, remains dormant until the owner updates the operating system. It is interesting to note, by design, the updating process retains all user information. The research paper mentions this convenience complicates the updating process immensely, and unfortunately, that complexity allows certain security issues to be overlooked.

The exploit

When the phone's operating system updates, the research team's malware also updates. During the update process, the malware gains the ability to leverage one or more of what the research team call Pileup (Privilege Escalation through Updating) flaws:

  • Permission harvesting: Request for a permission on an older version, so that when the OS is updated the permission is granted.
  • Permission Preempting: Define a permission with the same name as the one to be added by the newer version to get control of the permission.
  • Shared UID grabbing: Replace the system app with a malicious one.
  • Data contamination: Inject malicious data and configuration to new system apps such as a malicious script being injected into the Google browser's cache.
  • Exploiting permission trees: Denying registration of a new app's permissions during an upgrade.
  • Block Google Play Service.

Once the malware has gained access to one of the Pileup flaws, it is possible that attackers could exploit the following activities. The ones that are available to the attackers depend on the version of Android OS the device is running after being updated:

  • Obtain permission to access voicemails, user credentials, call logs and notifications of other apps .
  • Send SMS.
  • Start any activity regardless of permission protection or export state.
  • Replace official Google Calendar app with a malicious one to get the phone user's event notifications.
  • Drop JavaScript code in the data directory to be used by the new Android browser so as to steal the user's sensitive data.
  • Prevent users from installing critical system apps such as Google Play Services.

The research team, in the paper, explained what they consider the most dangerous capability provided by exploiting a Pileup flaw: "Gain complete control of the new signature and system permissions, lowering their protection levels to 'normal' and arbitrarily changing descriptions the user reads when deciding to grant that application certain permissions."

Example of how a Pileup works

Wang described one scenario on how permission harvesting will net the bad guys access to the owner's voicemail messages. Here is how it happens:

  1. The malicious app installed on a device with Android 2.3.6 OS defines a permission "com.google.android.apps.googlevoice.permission.RECEIVE_SMS" (a permission required to receive Google Voice SMS messages on Android 4.0.4). Note: On 2.3.6, the OS does not recognize the permission, and will not ask the user about the permission when the malicious app is being installed.
  2. When the user starts the update process, moving from 2.3.6 to 4.0.4, the updating vulnerability within the new OS enables the malicious app to obtain Google Voice SMS permission on 4.0.4 without the user's consent. As a result, the app is free to read SMS messages of System app Google Voice.

The above exploit is demonstrated in this YouTube video.

Warning: Techy explanation of why Pileup is so dangerous

The research team explained why the Pileup exploit is dangerous: "There are four protection levels for Android permissions. Normal permissions are granted to any app without user's explicit consent. Dangerous permissions are granted to any app upon request, based on user's approval. Signature and SignatureOrSystem permissions are granted to system apps, but never to third-party apps. However, exploiting Pileup flaws, the malicious third-party app can lower any new Signature and SignatureOrSystem permission to a Normal permission without user consent. Once the malicious app obtains such permission, it can do any number of things and none of them good."

Misunderstanding

Luyi Xing, a member of the research team, wanted to clear up what he said is a misunderstanding presented in some news articles: "Most media outlets mentioned that Google had fixed one of the six Pileup flaws. Other media outlets said all Pileup flaws were fixed. The fact is even though Google claimed to have provided a patch for one (the permission flaw discussed above) of the six Pileup vulnerabilities to vendors this January, it seems the deployment of the patch by Google and other vendors will take longer. The video demo discussed above was recorded March 22, 2014 on Google Nexus S phone, meaning Google's own devices were not patched at that time."

Secure Update Scanner

Since the research team was able to load the test malware into Google Play, relying on Google's Bouncer was not acceptable to them. To that end, the team developed Secure Update Scanner:

pileup-1.jpg
Secure Update Scanner
 Image: Indiana University and Microsoft Research

Wang mentioned, "The app is powered by a vulnerability dataset with over 2 million records we collected through analyzing thousands of Android factory images. It is important for people who own Android devices to scan their systems using the app before clicking on the update button."

When asked about existing antimalware, Wang said he doubted that it would detect malware exploiting the Pileup flaws. He said this threat was new, complicated and context-dependent.

Final thoughts

It is somewhat ironic. Phone manufacturers and mobile telco providers are slow in getting updates pushed out to those who use their devices and services -- and in this case, being slow is a good thing.

It is important to note the research team did the responsible thing and reported the Pileup vulnerabilities to Google on October 14, 2013.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

19 comments
rab
rab

Hope this isn't a dumb question, but how do I find Secure Update Scanner app? I searched for it on my Droid Razr Maxx HD in the Play Store, and nothing came up! 

rfmodine
rfmodine

If you are using the Malwarebytes app on your phone, does that provide additional protection?  What about the Norton app?

Ramon Soto
Ramon Soto

Here you have it! For those who talks $hit about the iPhone!

shelbymustang
shelbymustang

Would the Secure Update Scanner be necessary if you have Kaspersky Internet Security (or similar) running on the device?  On my device It seems to scan each and every update but after the installation is complete.

fkowal
fkowal

Now I am no expert on this,  But how many of you have phones with android. 2.3.6 and can updated them to android 4.0 something?    Eh I say none.      Sure wish my old phone can do it but those CARRIERS will not update it.  Because one.. those old phones are SLOW and don't have enough memory..   Which is why most folks with a Android's now have these much powerful phones that start out with Android 4.0 something.   I guess the researchers did update from 2.3.6 by rooting the phones and then it may be possible.   OH they rooted.. don't that void the warranty and potential bricking the phone and may render system incompatible or something like that.?


But still if I read this correctly.  the update still effects if going from 4.0 onward to 4.4.2 currently.   So I can see what they mean.  But it might be why google hasn't fixed much ..   No many phones get updated OS unless rooted.

(Oh I did grab he scan app,  just to have it and do the scan for future)

Rutger Bakker
Rutger Bakker

Iphone heeft veel meer bugs en malware dan android telefoon

Michael Kassner
Michael Kassner

@rab  


Have you tried loading it from the link I provided? Play store should recognize your phone if you are logged into Chrome.

Michael Kassner
Michael Kassner

@rfmodine  


They would be if they have the signatures for all the possible malware apps. What the research team is doing is focusing on the malware for this particular attack. They should have the best chance of finding it. The scanner app is only run just before you update the operating system. Also, I have written about MBAM's Android app. Marcin mentioned that MBAM is not a replacement but an enhancement.


http://www.techrepublic.com/blog/it-security/malwarebytes-anti-malware-mobile-now-protects-android-devices/

Michael Kassner
Michael Kassner

@shelbymustang  


It might. I asked the research team about this in the article, and they said that antimalware apps may not have the right signature files for the pileup flaw malware. 

Michael Kassner
Michael Kassner

@fkowal  


If I understand correctly, Google has the updates, it is the phone manufacturers and mobile telcos that are holding up the show. 

jarmaug
jarmaug

@Michael Kassner @rab If the scanner is run AFTER the update is complete, the PILEUP exploits would already have executed. For example, if a malicious app is using the Permission Harvesting exploit, the scanner likely looks for non-existent permissions on apps that will exist after the the update introduces them officially.


IMHO, any scanner that executes AFTER an update is merely closing the barn doors after all the horses have gotten out - at least in regards to PILEUP exploits.