Indiana University information security expert XiaoFeng Wang recognizes that people believe their mobile devices should become more secure after they install a recommended operating system upgrade. So what could be more dangerous than a malicious app that exploits the very updating mechanism needed for the operating system upgrade?
Wang, an associate professor of informatics and computer science at IU Bloomington's School of Informatics and Computing, and his students have labeled the malicious apps that exploit vulnerabilities in almost all versions of Android operating systems as "pileup" flaws, and they've found six weaknesses in how Google operating systems install upgrades.
The weaknesses allow a mobile device to acquire new capabilities, without the owner's permission, once the upgrade is in place. Those capabilities include automatically obtaining all new permissions added by the newer version of the operating system, replacing system-level apps with malicious ones, and injecting malicious scripts into arbitrary web pages. In all, the team confirmed those problems in all versions of Android Open Source Project and in 3,522 source code versions customized by Samsung, LG, and HTC across the world.
But rather than simply identify the problem, the researchers also created a Secure Update Scanner app that helped the team win a top prize at the National Homeland Defense Foundation's annual National Security Technology Competition last month in Colorado Springs, CO. The team finished third behind the University of Rhode Island (Safe Training Aids for Bomb-Sniffing Dogs) and Florida Institute of Technology (VINE: A Cyber Emulation for Advanced Experimentation and Training).
The new security app has already been downloaded over 60,000 times by mobile users in 163 countries. A video demonstrating one type of attack -- eavesdropping on your Google Voice messages after an operating system update -- has helped users understand the problem more clearly, Wang said.
The app and those problematic pileup flaws will also be the topic during presentations the team makes at next week's 35th IEEE Symposium on Security and Privacy, the world's premiere forum for the presentation of computer security and electronic privacy developments. The event is hosted by the Institute of Electrical and Electronics Engineers, the world's largest professional association for the advancement of technology.
"The consequences of these stealth attacks are dire, depending on the exploit opportunities on different Android devices," Wang said. "It exists on every Android device and there are over 1 billion Android users."
The team found that, depending on what Android version is in use, the upgrade could allow unprivileged malware to get permissions for accessing voicemails, user credentials, call logs, or notifications of other apps; sending SMS; or starting any activity regardless of permission protection or export state. The malware can also gain complete control of new signature and system permissions, lower their protection levels to "normal," and arbitrarily change descriptions the user needs to read when deciding whether to grant them to an app.
"It can even replace the official Google Calendar app with a malicious one to get the phone user's events, drop JavaScript code in the data directory to be used by the new Android browser so as to steal the user's sensitive data, or prevent someone from installing critical system apps such as Google Play Services," Wang said.
The team's Secure Update Scanner app is available at Google Play, Amazon AppStore for Android and other app stores, and it's easy to install and use:
- On your Android device, open the Google Play Store.
- Search for Secure Update Scanner.
- Locate and tap the entry by System Security Lab.
- Tap Install.
- Tap Accept.
- Allow the installation to complete.
You can then run the app from your home screen or from the application drawer. When you first run it, just tap "Okay, I got it" at the welcome screen that explains the app and you'll then be given the results of the scan.
In addition to Wang, the research team includes PhD students Luyi Xing, Xiaorui Pan, and Kan Yuan, along with Rui Wang, a former PhD student of Wang's who is now at Microsoft. All are co-authors on the paper, "Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating," which will be presented at the IEEE Symposium on Security and Privacy, May 18 to 21, in San Jose, CA.