Those who can create malware, will create malware -- no matter how sneaky they have to be to do so. The latest craze is called pileup malware. The gist of this is a seemingly innocent and harmless piece of software is installed on your device (even with the stamp of approval from your malware scanner). The initial install requires little to no permissions, so it looks perfectly safe. The problem comes when it's time to update that software. Without needing your approval, the software will upgrade its own permissions, giving it much more access than it originally had -- there's the pileup (and the rub). You now have an official piece of harmful malware on your machine.
This whole process was discovered by researchers at Indiana University. The same team that discovered the pileup process developed an app (called Secure Update Scanner) that will scan your device for apps that can exploit the pileup flaw. Effectively, the app is run before you update your device to check if there are any pileup exploiting apps present. This is a very important piece of software and should be installed on every one of your Android devices.
Here's how you install and use this app.
The installation is as simple as any other app. Just follow these steps:
- On your Android device, open the Google Play Store
- Search for Secure Update Scanner
- Locate and tap the entry by System Security Lab
- Tap Install
- Tap Accept
- Allow the installation to complete
You can now run the app from either your home screen (if a launcher is added), or from the application drawer.
There's very little required in the usage of Secure Update Scanner. When you first run the app, you'll get a welcome screen that gives you a simple breakdown of how the app is used. Tap Okay, I got it, and you'll be presented with immediate scan results (Figure A).
Security Update Scanner running on a Verizon-branded HTC One Max.
If the app locates any apps that exploit the pileup flaw, it will instruct you how to remove those apps. If it does not find any malicious apps, it will inform you that it's safe to go ahead with the device update. At the bottom of the app, you'll a button that will even take you to the system update window (or, in some devices, to the device information window).
Security Update Scanner will also inform you of other vulnerabilities, such as Unknown Sources enabled or installed patches that could compromise your system.
No one wants to live in a walled garden -- akin to the iOS App Store system. Having the Google Play Store open so that it's easy for developers to get their apps into the Android ecosystem makes for a developer-friendly environment. Naturally, this causes issues like the pileup flaw to get exploited. So, Google must step up to ensure functionalities (such as added by apps like Security Update Scanner) are built into the foundation of the platform.
If there are flaws, people will exploit them... and their will be flaws, as no platform is perfect. Fortunately, there are security labs across the globe locating and protecting/patching these flaws. Users must also take some responsibility and use their devices wisely, which includes using security tools, such as Security Update Scanner, to ensure their platform is secure.
What do you think? Is the responsibility on Google alone, or do you think end users also need to be accountable? Share your opinion in the comments below.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.