Android Vulnerability Gives Unwanted Permissions To Malicious Apps

Regardless of what mobile operating system you use, there’s bound to be some security flaws. The latest issue is a way for malicious apps on Android devices to receive elevated privileges without a user’s knowledge. Adrian Kingsley-Hughes of ZDNet reports on these so-called “Pileup flaws”.

Pileup is short for privilege escalation through updating, which adequately describes this type of attack.

Each time an update for a device’s current operating system is installed, which can be as often as every few months, a user is at risk. Updates require thousands of files to either be replaced or added to a device. This includes carefully adding new apps without damaging or changing any existing apps. This method creates a vulnerability.

If an existing app is malicious in nature, it’s developer can request additional permissions that are only available in an updated operating system. Those permissions won’t affect users before they update and an app may seem legitimate. Once the user updates, however, those permissions are automatically granted with no warning or verification required from the user.

This way, an app can lay dormant until the user updates, then take control of a device. With expanded privileges, malicious apps can control text messages, download malware and monitor activity.

In a similar attack, malicious apps with the same name as a trusted system app can be upgraded to a system app during an update. This gives malicious third party apps the power to access nearly everything on a device and control functions.

Researchers claim to have found six examples of Pileup vulnerabilities in Android devices, which puts about a billion total devices at risk. Google has been alerted about these vulnerabilities and has already begun patching them.

Discoveries like this reinforce how important it is to exercise caution when downloading apps. Only download from the official app store and, even then, be cautious about what you decide to add to your device.

If your device has been infected with malware or you’re having other issues, bring it to Geek Rescue or call us at 918-369-4335.