A new research paper reveals the update process involving Android's Package Management Service features vulnerabilities in permissions that may pose a threat to billions of mobile Android users.
Microsoft Research and Indiana University research teams will present a paper next month at the Institute of Electrical and Electronics Engineers' Security and Privacy Symposium that states the security flaw is in all Android Open Source Project versions and 3,522 source-code versions customized by Samsung, LG, and HTC.
"Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are encouraged to update their systems," states the paper, "Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating."
The research is a "systematic study" on the Android updating mechanism, focusing on its Package Management Service (PMS).
"Our research brought to light a new type of security-critical vulnerabilities, called Pileup (Privilege Escalation through Updating) flaws," states the paper.
The researchers say malware can be introduced to Android devices through apps and the research teams conducted malware tests that showed infected apps can be uploaded to several online app stores without detection.
According to the research paper the malware, once downloaded and installed on an Android device, remains dormant until the owner updates the OS. It can then leverage one or more of Pileup flaws. That then lets the hacker send SMS, replace the Google Calendar app, prevent users from installing apps such as Google Play Services and begin any activity.
The biggest threat, according to the researchers, is the ability to gain complete control of the signature and system permissions. The exploit is demonstrated in this YouTube video.
"Most media outlets mentioned that Google had fixed one of the six Pileup flaws. Other media outlets said all Pileup flaws were fixed. The fact is even though Google claimed to have provided a patch for one of the six Pileup vulnerabilities to vendors this January, it seems the deployment of the patch by Google and other vendors will take longer," states the research paper.
For the latest information regarding the vulnerabilities researchers encouraged Android users to visit this site.