Security researchers from Indiana University and Microsoft Research have uncovered a new class of vulnerabilities in the Android operating system (OS) that could enable malicious apps to gain almost unlimited access to and control over a device's data and functions during a system update.
The researchers have dubbed the vulnerabilities privilege escalation through updating (Pileup) flaws, and claim to have located six such flaws in the updating process of the Android OS.
The researchers have created videos demonstrating malicious apps exploiting Pileup flaws during the update process to steal Google Voice messages, take control of Google and other online accounts, and steal mobile banking credentials. The flaws also could be exploited to grant a malicious app the ability to arbitrarily change system-wide permission settings and take control of an infected device.
The researchers say the Pileup flaws affect all Android Open Source Project versions and warn that "every OS update offers bad guys opportunities to attack Android users."
Google has since issued a patch to vendors for one of the vulnerabilities and the researchers have released the free Secure Update Scanner app, which scans Android devices for malicious apps before updating the OS.
View Full Article
Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA