Over a billion devices vulnerable after Android exploit found

Over a billion devices vulnerable after Android exploit found
Android users beware: a new research report has pointed to a critical exploit in the operating system that could lead to over a billion devices being vulnerable.

The report comes via researchers from Indiana University and Microsoft and the security flaw is related to the Android update process. They call the bug "Pileup," and say that while the operating system is updating and replacing thousands of files, the bug could allow malicious apps to attach to the update, pretending to be replacements for real update files and then attaching to legitimate apps.



Reads the research report: "A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset. Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious."

Currently, the Android security apps and internal security will not detect the files as suspicious, leaving the devices open to injections of malicious JavaScript code.

There are six Pileup vulnerabilities in the Android Package Management Service alone and in over 3000 custom ROMs.

Written by: Andre Yoskowitz @ 27 Mar 2014 12:26
Tags
Android Exploits Pileup
Advertisement - News comments available below the ad

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud