Andre Yoskowitz
27 Mar 2014 12:26
Android users beware: a new research report has pointed to a critical exploit in the operating system that could lead to over a billion devices being vulnerable.
The report comes via researchers from Indiana University and Microsoft and the security flaw is related to the Android update process. They call the bug "Pileup," and say that while the operating system is updating and replacing thousands of files, the bug could allow malicious apps to attach to the update, pretending to be replacements for real update files and then attaching to legitimate apps.
Reads the research report: "A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset. Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious."
Currently, the Android security apps and internal security will not detect the files as suspicious, leaving the devices open to injections of malicious JavaScript code.
There are six Pileup vulnerabilities in the Android Package Management Service alone and in over 3000 custom ROMs.