Android

How to avoid the pileup malware exploit on Android

Jack Wallen introduces you to a must-have application to protect your Android devices from the new pileup flaw.

Pileup malware

Those who can create malware, will create malware -- no matter how sneaky they have to be to do so. The latest craze is called pileup malware. The gist of this is a seemingly innocent and harmless piece of software is installed on your device (even with the stamp of approval from your malware scanner). The initial install requires little to no permissions, so it looks perfectly safe. The problem comes when it's time to update that software. Without needing your approval, the software will upgrade its own permissions, giving it much more access than it originally had -- there's the pileup (and the rub). You now have an official piece of harmful malware on your machine.

This whole process was discovered by researchers at Indiana University. The same team that discovered the pileup process developed an app (called Secure Update Scanner) that will scan your device for apps that can exploit the pileup flaw. Effectively, the app is run before you update your device to check if there are any pileup exploiting apps present. This is a very important piece of software and should be installed on every one of your Android devices.

Here's how you install and use this app.

Installation

The installation is as simple as any other app. Just follow these steps:

  1. On your Android device, open the Google Play Store
  2. Search for Secure Update Scanner
  3. Locate and tap the entry by System Security Lab
  4. Tap Install
  5. Tap Accept
  6. Allow the installation to complete

You can now run the app from either your home screen (if a launcher is added), or from the application drawer.

Usage

There's very little required in the usage of Secure Update Scanner. When you first run the app, you'll get a welcome screen that gives you a simple breakdown of how the app is used. Tap Okay, I got it, and you'll be presented with immediate scan results (Figure A).

Figure A

Figure A

Security Update Scanner running on a Verizon-branded HTC One Max.

If the app locates any apps that exploit the pileup flaw, it will instruct you how to remove those apps. If it does not find any malicious apps, it will inform you that it's safe to go ahead with the device update. At the bottom of the app, you'll a button that will even take you to the system update window (or, in some devices, to the device information window).

Security Update Scanner will also inform you of other vulnerabilities, such as Unknown Sources enabled or installed patches that could compromise your system.

No one wants to live in a walled garden -- akin to the iOS App Store system. Having the Google Play Store open so that it's easy for developers to get their apps into the Android ecosystem makes for a developer-friendly environment. Naturally, this causes issues like the pileup flaw to get exploited. So, Google must step up to ensure functionalities (such as added by apps like Security Update Scanner) are built into the foundation of the platform.

If there are flaws, people will exploit them... and their will be flaws, as no platform is perfect. Fortunately, there are security labs across the globe locating and protecting/patching these flaws. Users must also take some responsibility and use their devices wisely, which includes using security tools, such as Security Update Scanner, to ensure their platform is secure.

What do you think? Is the responsibility on Google alone, or do you think end users also need to be accountable? Share your opinion in the comments below.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

5 comments
stephen
stephen

Going by your description of the flaw it seems like it's Google's fault with Android. On Windows Phone whenever I update an app I have to explicitly re-authorise its permissions. Therefore if an app does need more and I don't read the request properly it's my own fault. This is an easy and sensible way to control this, therefore I think it's up to Google to fix Android.

jamesski
jamesski

Interesting app.   I ran it and it found no bad boys.  However, it did say my Android OS was 4.1.2  API 16 (which the system panel in the OS shows too) and then said that the latest was ver. 4.4.2.  I clicked on the handy button at the bottom and it sent me to the phone status panel which, after I clicked on system updates, Verizon said I had the latest.  Strange...

Rick-J
Rick-J

AIUI, the exploit only happens when you update the OS while apps carrying the malware are already installed. Jack didn't seem to make that clear.

The exploit works by apps requesting new permissions that don't exist in the older OS. Previous Android versions ignore requests for nonexistent permissions, so the rogue app is implicitly given those permissions when the OS updates.

GSG
GSG

You had the latest Verizon version, not the latest Android version which is what they were referencing.   I found my AT&T Samsung Galaxy SIII runs significantly behind the generic Android releases.

plodder2.0
plodder2.0

@GSG Same situation with my Sprint Samsung Galaxy SIII.

Editor's Picks