The report comes via researchers from Indiana University and Microsoft and the security flaw is related to the Android update process. They call the bug "Pileup," and say that while the operating system is updating and replacing thousands of files, the bug could allow malicious apps to attach to the update, pretending to be replacements for real update files and then attaching to legitimate apps.
Reads the research report: "A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset. Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious."
Currently, the Android security apps and internal security will not detect the files as suspicious, leaving the devices open to injections of malicious JavaScript code.
There are six Pileup vulnerabilities in the Android Package Management Service alone and in over 3000 custom ROMs.
Written by: Andre Yoskowitz @ 27 Mar 2014 12:26
