Android Flaw Lets Hackers Hijack System Updates

Keeping your Android device updated with the latest version of the mobile operating system is one of the best ways to keep your smartphone or tablet safe. Yet a new proof-of-concept exploit from a security research team shows that malicious hackers could create harmless-looking apps that lie in wait and turn on their users only when devices are updated.

Researchers from the System Security Lab at Indiana University and Microsoft put together a paper on the topic, which they plan to present at the IEEE Symposium on Security and Privacy in May. The paper demonstrates that a weakness in the way Android handles app permissions makes it possible to create "sleeper" apps that become malicious after system updates.

MORE: Mobile Security Guide: Everything You Need to Know

Here's how the exploit, which the researchers call "privilege escalation through updating" or "Pileup," works: A malefactor releases an app that requests very minor permission privileges from older versions of Android — for example, a game that asks to be able to prevent a phone from going into sleep mode while the game's being played.

Hidden in the code, however, are additional requests for permission privileges that exist only in newer versions of Android. Such requests could allow the app to access your contacts, your location or even your financial information.

Yet because older versions of Android — for example, Android 2.3 Gingerbread, still present on nearly a fifth of Android devices despite being three years old — won't recognize those permissions, the privileges will be granted on those systems without seeking the user's approval.

When phones and tablets install Android system updates, such as going from Gingerbread to Android 4.0 Ice Cream Sandwich, they allow existing apps to retain their permission privileges. Otherwise, users would have to manually reconfirm privileges for every single app with each system update.

All a malicious hacker has to do is create an app with dormant additional permissions that only engage once a system upgrade is performed. In effect, the intrusive new permissions are grandfathered in along with the original, harmless permissions that the user accepted.

Google is very open about what changes with every Android update, and is clear about when new permissions are added. But most Android devices lag behind the update schedule.

The latest version, Android 4.4 KitKat, released in October, is installed on only 2.5 percent of Android devices. As a result, almost all  devices capable of being upgraded to a newer version of Android would be susceptible to the Pileup attack.

The good news is that this exploit has never been found in the wild. The bad news is that there's no reason it couldn't be. The research team anticipated that malicious hackers might use their findings to create their own versions of the Pileup attack.

In order to counteract this potential practice, the System Security Lab has released a free Android app called Secure Update Scanner to both Google Play and the Amazon App Store. This app keeps tabs on programs that can potentially add harmful permissions through future Android updates.

Security experts who want to learn more about how this exploit works should keep an eye out for a more comprehensive explanation at the IEEE conference in May.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

  • William Eddins
    It's only an exploit if those devices on 2.3 are updated. I don't think that's going to be a problem.
  • PudgyChicken
    Ah, yes, I see. Since this has never been used maliciously, let's just publish a report detailing exactly how it works and draw in a lot of publicity before Google has a chance to patch it. Brilliant.
  • derekullo
    All Your Updates Are Belong To Us
  • house70
    Basically, the permissions are granted in a very old Android version, then "grandfathered" into the updated one(if the device ever gets updated).This is useless, mainly because devices that are still on 2.3 will NEVER see any updates. Ever. Also, it is useless because nobody makes devices that run 2.3 anymore, and the exploit is a few years too late.Finally, because the fault lies with the way 2.3 was dealing with unknown permissions. This whole thing is nothing more than some scare tactics targeting a 4 year old OS (not mentioned in the title, though) and lists it as something very actual, when in fact is completely outdated. Great journalism, indeed.
  • house70
    This is like complaining about WinMe security flaws.
  • ThisIsMe
    You guys all read the article and then got stop on the one example that they gave. Remember it's just an example. The flaw is still present in the newest versions as well. So if you update from 4.3 to 4.4 and the new version/update has additional permission options then apps can take malicious advantage of that as well. However, this will probably never get to be a huge deal, but it could just the same.