Android Flaw Lets Hackers Hijack System Updates

Keeping your Android device updated with the latest version of the mobile operating system is one of the best ways to keep your smartphone or tablet safe. Yet a new proof-of-concept exploit from a security research team shows that malicious hackers could create harmless-looking apps that lie in wait and turn on their users only when devices are updated.

Researchers from the System Security Lab at Indiana University and Microsoft put together a paper on the topic, which they plan to present at the IEEE Symposium on Security and Privacy in May. The paper demonstrates that a weakness in the way Android handles app permissions makes it possible to create "sleeper" apps that become malicious after system updates.

MORE: Mobile Security Guide: Everything You Need to Know

Here's how the exploit, which the researchers call "privilege escalation through updating" or "Pileup," works: A malefactor releases an app that requests very minor permission privileges from older versions of Android — for example, a game that asks to be able to prevent a phone from going into sleep mode while the game's being played.

Hidden in the code, however, are additional requests for permission privileges that exist only in newer versions of Android. Such requests could allow the app to access your contacts, your location or even your financial information.

Yet because older versions of Android — for example, Android 2.3 Gingerbread, still present on nearly a fifth of Android devices despite being three years old — won't recognize those permissions, the privileges will be granted on those systems without seeking the user's approval.

When phones and tablets install Android system updates, such as going from Gingerbread to Android 4.0 Ice Cream Sandwich, they allow existing apps to retain their permission privileges. Otherwise, users would have to manually reconfirm privileges for every single app with each system update.

All a malicious hacker has to do is create an app with dormant additional permissions that only engage once a system upgrade is performed. In effect, the intrusive new permissions are grandfathered in along with the original, harmless permissions that the user accepted.

Pileup exploit used against stock Android browser

Google is very open about what changes with every Android update, and is clear about when new permissions are added. But most Android devices lag behind the update schedule.

The latest version, Android 4.4 KitKat, released in October, is installed on only 2.5 percent of Android devices. As a result, almost all  devices capable of being upgraded to a newer version of Android would be susceptible to the Pileup attack.

The good news is that this exploit has never been found in the wild. The bad news is that there's no reason it couldn't be. The research team anticipated that malicious hackers might use their findings to create their own versions of the Pileup attack.

Pileup attack used to steal login credentials to online bank account

In order to counteract this potential practice, the System Security Lab has released a free Android app called Secure Update Scanner to both Google Play and the Amazon App Store. This app keeps tabs on programs that can potentially add harmful permissions through future Android updates.

Security experts who want to learn more about how this exploit works should keep an eye out for a more comprehensive explanation at the IEEE conference in May.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • It's only an exploit if those devices on 2.3 are updated. I don't think that's going to be a problem.
  • Ah, yes, I see. Since this has never been used maliciously, let's just publish a report detailing exactly how it works and draw in a lot of publicity before Google has a chance to patch it. Brilliant.
  • All Your Updates Are Belong To Us