Researchers have determined that the Android update process has a vulnerability that allows permission elevation without user knowledge.
Researchers from Indiana University and Microsoft Research have found updating software to remove vulnerabilities is not always what it seems, especially when it comes to the Android operating system. This paper, to be presented by the research team at the Institute of Electrical and Electronics Engineers' Security and Privacy Symposium next month, sheds light on security issues resulting from the way Android is updated, more specifically how Android's Package Management Service (PMS) works.
In the paper, the research team said, "We confirmed the presence of the issues in all Android Open Source Project versions and 3,522 source-code versions customized by Samsung, LG, and HTC. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are encouraged to update their systems."
The researchers determined Android allows installed applications, if so designed, to obtain additional capabilities without the owner's consent, just by updating the phone's operating system to a newer version. The key is the phrase, "if so designed." In order to test the theory, the research team led by Dr. XiaoFeng Wang, head of Indiana University's Security Systems Lab, created malware that will leverage the update vulnerability.
As to how this malware can be introduced to Android mobile devices, Wang said the team performed proof of concept tests by submitting several malware-laden apps to Android app stores. Wang said, "We tested by uploading malware to Google Play, Amazon App Store and others; and found the malware was approved for publishing by those stores."
Wang said, "We immediately withdraw the malware once approved to avoid it being downloaded by real users."
The malware, once downloaded and installed on the Android device, remains dormant until the owner updates the operating system. It is interesting to note, by design, the updating process retains all user information. The research paper mentions this convenience complicates the updating process immensely, and unfortunately, that complexity allows certain security issues to be overlooked.
When the phone's operating system updates, the research team's malware also updates. During the update process, the malware gains the ability to leverage one or more of what the research team call Pileup (Privilege Escalation through Updating) flaws:
- Permission harvesting: Request for a permission on an older version, so that when the OS is updated the permission is granted.
- Permission Preempting: Define a permission with the same name as the one to be added by the newer version to get control of the permission.
- Shared UID grabbing: Replace the system app with a malicious one.
- Data contamination: Inject malicious data and configuration to new system apps such as a malicious script being injected into the Google browser's cache.
- Exploiting permission trees: Denying registration of a new app's permissions during an upgrade.
- Block Google Play Service.
Once the malware has gained access to one of the Pileup flaws, it is possible that attackers could exploit the following activities. The ones that are available to the attackers depend on the version of Android OS the device is running after being updated:
- Obtain permission to access voicemails, user credentials, call logs and notifications of other apps .
- Send SMS.
- Start any activity regardless of permission protection or export state.
- Replace official Google Calendar app with a malicious one to get the phone user's event notifications.
- Prevent users from installing critical system apps such as Google Play Services.
The research team, in the paper, explained what they consider the most dangerous capability provided by exploiting a Pileup flaw: "Gain complete control of the new signature and system permissions, lowering their protection levels to 'normal' and arbitrarily changing descriptions the user reads when deciding to grant that application certain permissions."
Example of how a Pileup works
Wang described one scenario on how permission harvesting will net the bad guys access to the owner's voicemail messages. Here is how it happens:
- The malicious app installed on a device with Android 2.3.6 OS defines a permission "com.google.android.apps.googlevoice.permission.RECEIVE_SMS" (a permission required to receive Google Voice SMS messages on Android 4.0.4). Note: On 2.3.6, the OS does not recognize the permission, and will not ask the user about the permission when the malicious app is being installed.
- When the user starts the update process, moving from 2.3.6 to 4.0.4, the updating vulnerability within the new OS enables the malicious app to obtain Google Voice SMS permission on 4.0.4 without the user's consent. As a result, the app is free to read SMS messages of System app Google Voice.
The above exploit is demonstrated in this YouTube video.
Warning: Techy explanation of why Pileup is so dangerous
The research team explained why the Pileup exploit is dangerous: "There are four protection levels for Android permissions. Normal permissions are granted to any app without user's explicit consent. Dangerous permissions are granted to any app upon request, based on user's approval. Signature and SignatureOrSystem permissions are granted to system apps, but never to third-party apps. However, exploiting Pileup flaws, the malicious third-party app can lower any new Signature and SignatureOrSystem permission to a Normal permission without user consent. Once the malicious app obtains such permission, it can do any number of things and none of them good."
Luyi Xing, a member of the research team, wanted to clear up what he said is a misunderstanding presented in some news articles: "Most media outlets mentioned that Google had fixed one of the six Pileup flaws. Other media outlets said all Pileup flaws were fixed. The fact is even though Google claimed to have provided a patch for one (the permission flaw discussed above) of the six Pileup vulnerabilities to vendors this January, it seems the deployment of the patch by Google and other vendors will take longer. The video demo discussed above was recorded March 22, 2014 on Google Nexus S phone, meaning Google's own devices were not patched at that time."
Secure Update Scanner
Since the research team was able to load the test malware into Google Play, relying on Google's Bouncer was not acceptable to them. To that end, the team developed Secure Update Scanner:
Wang mentioned, "The app is powered by a vulnerability dataset with over 2 million records we collected through analyzing thousands of Android factory images. It is important for people who own Android devices to scan their systems using the app before clicking on the update button."
When asked about existing antimalware, Wang said he doubted that it would detect malware exploiting the Pileup flaws. He said this threat was new, complicated and context-dependent.
It is somewhat ironic. Phone manufacturers and mobile telco providers are slow in getting updates pushed out to those who use their devices and services -- and in this case, being slow is a good thing.
It is important to note the research team did the responsible thing and reported the Pileup vulnerabilities to Google on October 14, 2013.