“Our research brought to light a new type of security-critical vulnerabilities, called Pileup ﬂaws, through which a malicious app can strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system. Speciﬁcally, we found that by exploiting the Pileup vulnerabilities, the app can not only acquire a set of newly added system and signature permissions but also determine their settings (e.g., protection levels), and it can further substitute for new system apps, contaminate their data (e.g., cache, cookies of Android default browser) to steal sensitive user information or change security conﬁgurations, and prevent installation of critical system services.” reports the paper.
The Pileup ﬂaws are present in all the Android versions, including customized releases, the researchers demonstrated it after they have analyzed the source code of PMS using a program veriﬁcation tool.
“Our research also identiﬁed hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries.” “Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep,” the researchers wrote. “This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws.“
The Pileup flaws allow a hacker to escalate permission, signature and settings for a malicious app that could be used to steal the user’s data. The researchers used a program analyzer to discover 6 distinct Pileup flaws into the Android Package Manager Service, nearly 3,522 source code versions customized by principal manufactures including LG, HTC and Samsung.
According the researchers all the Pileup flaws have been reported to Google by the research team, one of vulnerability has been already fixed by them.
As a result of their work, the researchers developed a scanner app called SecUP that is able to inspect the applications discovering malicious apps already installed on the handset that have been designed to exploit Pileup flaws.
“The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers explained. “A Pileup flaw is detected once any of those constraints are breached.”