Android Flaw Lets Hackers Hijack System Updates

Keeping your Android device updated with the latest version of the mobile operating system is one of the best ways to keep your smartphone or tablet safe. Yet a new proof-of-concept exploit from a security research team shows that malicious hackers could create harmless-looking apps that lie in wait and turn on their users only when devices are updated.

Researchers from the System Security Lab at Indiana University and Microsoft put together a paper on the topic, which they plan to present at the IEEE Symposium on Security and Privacy in May. The paper demonstrates that a weakness in the way Android handles app permissions makes it possible to create "sleeper" apps that become malicious after system updates.

MORE: Mobile Security Guide: Everything You Need to Know

Here's how the exploit, which the researchers call "privilege escalation through updating" or "Pileup," works: A malefactor releases an app that requests very minor permission privileges from older versions of Android — for example, a game that asks to be able to prevent a phone from going into sleep mode while the game's being played.

Hidden in the code, however, are additional requests for permission privileges that exist only in newer versions of Android. Such requests could allow the app to access your contacts, your location or even your financial information.

Yet because older versions of Android — for example, Android 2.3 Gingerbread, still present on nearly a fifth of Android devices despite being three years old — won't recognize those permissions, the privileges will be granted on those systems without seeking the user's approval.

When phones and tablets install Android system updates, such as going from Gingerbread to Android 4.0 Ice Cream Sandwich, they allow existing apps to retain their permission privileges. Otherwise, users would have to manually reconfirm privileges for every single app with each system update.

All a malicious hacker has to do is create an app with dormant additional permissions that only engage once a system upgrade is performed. In effect, the intrusive new permissions are grandfathered in along with the original, harmless permissions that the user accepted.

Google is very open about what changes with every Android update, and is clear about when new permissions are added. But most Android devices lag behind the update schedule.

The latest version, Android 4.4 KitKat, released in October, is installed on only 2.5 percent of Android devices. As a result, almost all  devices capable of being upgraded to a newer version of Android would be susceptible to the Pileup attack.

The good news is that this exploit has never been found in the wild. The bad news is that there's no reason it couldn't be. The research team anticipated that malicious hackers might use their findings to create their own versions of the Pileup attack.

In order to counteract this potential practice, the System Security Lab has released a free Android app called Secure Update Scanner to both Google Play and the Amazon App Store. This app keeps tabs on programs that can potentially add harmful permissions through future Android updates.

Security experts who want to learn more about how this exploit works should keep an eye out for a more comprehensive explanation at the IEEE conference in May.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.