The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks.
Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges.
The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.
The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said.
An attacker could use a malicious application to exploit this situation to access data on the device such as user credentials, activity logs, SMS data. The researchers also said a successful attack could also give a hacker control of new signature and system permission, leading to a deeper level of trouble.
The paper, “Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating,” was written by Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang of Indiana University Bloomington and Rui Wang of Microsoft. The frequency of Android updates—estimated to be on average of every 3½ months— and the fragmentation of the Android market make it close to impossible to adequately secure devices, the researchers said.
“Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep,” the researchers wrote. “This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws.”
Pileup flaws, short for privilege escalation through updating, ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user. “Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version,” the researchers wrote.
The paper said customized versions of Android, such as those developed by device makers and carriers, are especially vulnerable to Pileup attacks. The researchers said manufacturers are purposely conservative with regard to updates so as not to interfere with the user experience. Users who have apps currently installed, for example, expect them to work seamlessly after OS updates and upgrades; that means data and features must transfer. An attacker can get a seemingly benign app on a device that requests privileges not present on the lower OS version. Generally, the Package Management Service must compare the privileges present between updates and will generally grandfather in existing permission requests so as not to interfere with functionality.
“A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset,” the paper said. “Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious.”
Upon an OS upgrade, the PMS will install new and existing system apps, including third-party apps, and will register the permissions they declare. That means for a malicious app, the PMS recognizes all the permissions it requests and those are silently granted because it supposes that permissions with an existing app have already been approved by the user.
All of the issues have been reported to Google, the researchers said; Google has already patched one of the six vulnerabilities.
As for the team’s SecUP scanner, it inspects Android APKs already installed on a device, identifying those that are likely to cause privilege escalations during an update, the paper said. SecUP is made up of a number of components, including a vulnerability detector, exploit opportunity analyzer and a risk database, in addition to the scanner app, the paper said.
“The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers wrote. “A Pileup flaw is detected once any of those constraints are breached.”
The analyzer then kicks in and searches Android factory images for places where privilege escalation could happen; that information is stored in the risk database. The scanner app uses that database to check third-party apps and alerts the user to any potential risks.