Luyi Xing*, Xiaorui Pan*, Rui Wang+, Kan Yuan* and XiaoFeng Wang*
People tend to believe that an OS upgrade makes their mobile devices much securer and more reliable, because the new OS version presumably fixes security loopholes and enhances the system’s security protection. However, our recent study on the current Android upgrade mechanism brings to light a whole new set of vulnerabilities pervasively existing in almost all Android versions, which allow a seemingly harmless malicious app ("unprivileged app" in the security term) running on a version of Android to automatically acquire significant capabilities without users’ consent once they upgrade to newer versions! Such capabilities include automatically obtaining all new permissions added by the newer version OS, replacing system-level apps with malicious ones, injecting malicious scripts into arbitrary webpages, etc. We call these vulnerabilities Pileup flaws (privilege escalation through updating). In total, we discovered six Pileup flaws in the code of Android OS. We further confirmed the presence of the issues in all AOSP (Android Open Source Project) versions and 3,522 source code versions customized by Samsung, LG and HTC across the world. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are actually encouraged to update their systems.
A distinctive feature of the threat is that the attack is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the “future” OS, which the current system will be upgraded to. More specifically, through the app running on a lower version Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version. For example, the app can define a new system permission such as android.permission.READ_PROFILE (read the user’s personal profile data) on Android 2.3.6, which is to be added on 4.0.x. It can also use the shared user ID (UID) (a string specified within an app’s manifest file) of a new system app on 4.0.x, its package name and other attributes. Since these privileges and attributes do not exist in the old system (2.3.6 in the example), the malicious app can silently acquire them (self-defined permission, shared UID and package name, etc.). When the system is being updated to the new one, the Pileup flaws within the new Package Manager will be automatically exploited. Consequently, such an app can stealthily obtain related system privileges, resources or capabilities. In the above example, once the phone is upgraded to 4.0.x, the app immediately gets android.permission.READ_PROFILE without the user’s consent and even becomes its owner, capable of setting its protection level and description. Also, the preempted shared UID enables the malicious app to substitute for system apps such as Google Calendar, and the package name trick was found to work on the Android browser, allowing the malicious app to contaminate its cookies, cache, security configurations and bookmarks, etc.
Figure 1. Exploit opportunities
To show that malicious apps exploiting Pileup flaws can be accepted by today’s Android app stores such as Google Play, Amazon’s appstore for Android, etc., we developed a number of such apps and submitted them to various app markets. We successfully published the malicious apps on Google Play store to request new dangerous permissions added by newer Android OS and new system apps, to define new “Dangerous”, “Signature”, “SignatureOrSystem” permissions and to take shared UID of system apps. We have also successfully published those apps to other app markets such as Amazon AppStore for Android, GetJar, etc. We immediately removed the apps from the markets once they are approved for publication.
Below is a list of video demos which show how a seemingly harmless app can exploit Pileup flaws to cause various bad consequences, including stealing all of your Google Voice messages, hacking your Google account, stealing your passwords for banking sites, etc., once you upgrade to newer version of Android.
Description of the demos:
Because Pileup flaws profoundly degrade security of Android devices by exploiting Android Update, this further leads to an embarrassing situation for the Android ecosystem. On the one hand, OS updates are very important or even critical if they include urgent fixes for security bugs; on the other hand, with Pileup flaws, every OS update offers bad guys opportunities to attack Android users. We believe that a security app dedicated to Pileup flaws is very necessary. Users can use such an app to make sure their devices are free of malware before they run Android Update. Therefore, we developed an app called Secure Update Scanner for this purpose. The app scans the user’s device to detect any malicious apps which exploit Pileup flaws and provides useful instructions to guide users uninstall malicious apps if discovered and securely update their devices afterwards.
We suggest users install the Secure Update Scanner app on their devices and run it before every system update. It only takes a few seconds to finish the scan. The app is available for free on Google Play, Amazon AppStore for Android, SlideMe, and 360 Mobile Assistant (for Chinese users).
· Amazon AppStore for Android: http://www.amazon.com/gp/product/B00IZOHC40
· 360 Mobile Assistant: http://zhushou.360.cn/detail/index/soft_id/1594856
New: Our Secure Update Scanner app has been trusted by users from all over the world. As of now, we have observed users from 163 countries/districts installing and using our app for the security of their devices and more are joining the list. Here is the full list: United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde.
There are some other potential mitigations, one of which is to only install apps from Google Play store. A caution is that we are not sure whether Google can/will block all malicious apps. Because according to our tests described in this article (paragraph 4), Google Play actually approved a number of malicious apps we submitted (we immediately removed the apps once approved). Another mitigation is to use a generic anti-virus security app such as Lookout, Avast Mobile Security & Antivirus, 360 Mobile Safe, and many others. However, because Pileup flaws are a new category of complex problems never known before, we believe those generic security apps cannot be easily tuned to detect the malware exploiting Pileup. Our Secure Update Scanner app can achieve high accuracy of detection because it is powered by a vulnerability database with over two million records collected through analyzing thousands of Android factory images.
We have reported the six vulnerabilities to Google on October 14, 2013. On January 08, 2014, Google told us that they had released a patch for the permission-preempting bug (internal tracking # 11242510) to Android vendors. We are not aware of any timeline for the vendors to release their patches to users but will update the website as soon as we get this information. Google also created tracking numbers for other 5 issues we reported. The Android ecosystem is well known for its slow paces in deploying new updates. For example, the latest Android OS KitKat was released on October 31, 2013, but it has only reached 2.5% of the market share after 4+ months. We expect that a complete fix for the problems we discovered will take long time as well.
This research is a joint work of Indiana University and Microsoft Research. We have written a research paper which describes in details about our investigation results and corresponding tools we developed. The paper has been accepted to the 35th IEEE Symposium on Security and Privacy, which is a flagship conference in security. We will present the research work at the conference in May, 2014. Here is the reference of the work.
|Luyi Xing (Indiana University), Xiaorui Pan (Indiana University), Rui Wang (Microsoft Research), Kan Yuan (Indiana University) and XiaoFeng Wang (Indiana University). Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating. Accepted by the 35th IEEE Symposium on Security and Privacy. San Jose, CA. May, 2014.|
To facilitate the discussion of Pileup flaws and corresponding mitigations, we have created the Secure Android Update discussion group. Please feel free to join the group and post any of your questions.
Last Updated: 04/16/2014