A fresh wave of Android bugs have fallen under the radar of a team of researchers from Indiana University and Microsoft and the findings will make you doubt whether to upgrade your version of the popular mobile operating system when future updates come knocking on your door.
Android updates have only a short interval between months to be released in order to update, remove or replace thousands of files on your system. When fresh apps are installed on your phone, an extremely careful configuration must be implemented to set the attributes of each app, thus its privileges within the system. Ideally, that is the requirement. But not all apps go through rigid security systems and some get past the scanner, which makes the installation of apps from Google Play vulnerable to security flaws.
The research team called the vulnerability “privilege escalation through updating,” or Pileup. The bug works by giving malicious apps increased permissions to access the Android platform when new updates are being rolled out while hiding under the radar of security software.
What makes the malware’s activity unnoticeable to device owners is that the Android notification system does not display alerts when new permissions are granted to dubious apps. In other words, the malicious activity is running in the background, which is impossible for users to view since current security software tools are unable to scan the bug. Through this vulnerability, hackers are able to inject JavaScript code, which can be used for various harmful activities such as seizing control of a user’s critical data and compromising the gadget’s security.
There are currently six different Pileup malware found in the Android Package Management Service, which is responsible for Android updates, and the vulnerabilities are affecting all Android Open Source Project versions, according to the researcher team. That means 3,522 source code versions developed by Google OEM partners like Samsung, LG and HTC unknowingly contain these bugs, exposing more than one billion Android devices to potential Pileup attacks.
There is also room for the bug to exploit vulnerabilities of thousands of Android devices from various mobile companies. This is particularly alarming to Google’s mobile operating system, which currently holds the largest market share in the mobile world. As of third quarter of 2013, there have been nearly 12,000 devices that developers are building apps for.
Google also recently announced that Android device activations have reached one billion in September 2013. So by this time, there are more than a million activations. Gartner reports that Android is currently the dominant player in the mobile market, with 81.9 percent share as of 2013 third quarter. So Google has a got a lot of work to do ahead in order to maintain security of these devices.
