Pileup flaws in Android PMS menace more than 1 Billion devices

Pierluigi Paganini March 25, 2014

A group of researchers discovered a series of 6 vulnerabilities, dubbed Pileup flaws, in Android PMS that exposes more than 1 Billion Google-based devices.

Android is the mobile OS that most of all attracts cyber criminals due its capillary diffusion, recently security experts have discovered new malware families targeting the platform and hackers have found numerous vulnerabilities that can harm user’s privacy.
A new shocking news is shacking mobile industry, the Android update process could be exploited by attackers for malicious purpose. A team of researchers at the Indiana University and Microsoft (Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang and Rui Wang of Microsoft) has published a paper titled “Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating” which describes a series of vulnerabilities, dubbed Pileup flaws, that allows attackers to conduct a privilege escalation attack.
The paper shows how it is possible to exploit the weaknesses in the Android Package Management Service (PMS),  the  collection of tools to automate the process of installing, upgrading, configuring, and removing software packages for Android devices.
The Pileup flaws allow privilege escalation through the updating process without notifying anything to the users, more than one billion Android devices at risk.

“Our research brought to light a new type of security-critical vulnerabilities, called Pileup flaws, through which a malicious app can strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system. Specifically, we found that by exploiting the Pileup vulnerabilities, the app can not only acquire a set of newly added system and signature permissions but also determine their settings (e.g., protection levels), and it can further substitute for new system apps, contaminate their data (e.g., cache, cookies of Android default browser) to steal sensitive user information or change security configurations, and prevent installation of critical system services.” reports the paper.

The Pileup flaws are present in all the Android versions, including customized releases, the researchers demonstrated it after they have analyzed the source code of PMS using a program verification tool.

“Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries.” Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep,” the researchers wrote. “This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws.

The Pileup flaws allow a hacker to escalate permission, signature and settings for a malicious app that could be used to steal the user’s data. The researchers used a program analyzer to discover 6 distinct Pileup flaws into the Android Package Manager Service, nearly 3,522 source code versions customized by principal manufactures including LG, HTC and Samsung.

According the researchers all the Pileup flaws have been reported to Google by the research team, one of vulnerability has been already fixed by them.

As a result of their work, the researchers developed a scanner app called SecUP that is able to inspect the applications discovering malicious apps already installed on the handset that have been designed to exploit Pileup flaws.

Pileup flaws SecUP Scanner

The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers explained. “A Pileup flaw is detected once any of those constraints are breached.”

Let’s wait for the resolution of remaining flaws.

Pierluigi Paganini

(Security Affairs –  Pileup flaws, Android)



you might also like

leave a comment