Hardly a week goes by without yet another press release hitting the desk of your technology journalist, or research flag being raised amongst the IT Security profession, that claims Android is insecure. What Android actually is, just like Windows on the desktop in fact, is a big and attractive target; which in turn makes it the focus of attention for those looking to exploit mobile device vulnerabilities. The bad guys will pour their resources, in terms of both time and money, into discovering and exploiting those vulnerabilities which will present them with the best profit making potential. That, dear reader, is a truism.

The latest such vulnerability to appear on the media radar as far as Android is concerned has been the discovery of a 'privilege escalation flaw' that, according to the headlines at any rate, has the potential to 'leave billions of devices vulnerable to malware attack'. How much of a truism is that, I wonder?

The fact that the privilege escalation vulnerability exists is not in any doubt, despite it being uncovered by Indiana University researchers working in conjunction with Microsoft Research. Just because 'the enemy' (as Microsoft, along with Apple, is oft-perceived when talking about mobile platforms) finds fault does not mean that fault is non-existent. If you want to check out the technical details for yourself, then go read 'Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating' which explains all in some sixteen pages of gloriously geeky detail.

The long and the short of it, however, can be found in the abstract which explains how, with Android being a fast-evolving system that has new updates coming out in quick succession that often completely overhaul the OS with tens of thousands of files being replaced or added across the complex Android architecture, there are measures in place to prevent accidental damage to apps and critical user data. These include the use of complicated program logic, and it was this that the researchers systematically studied from a security viewpoint. Focusing on the Package Management Service (PMS) of the Android update system, the research found a new type of security-critical vulnerability, which the team responsible named pileup flaws. By exploiting these pileup flaws, the researchers say, a malicious app can "strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system." Specifically, the researchers found that by exploiting the pileup vulnerabilities, the app can "not only acquire a set of newly added system and signature permissions" but also determine their settings. The paper reveals how such a malicious app can "further substitute for new system apps, contaminate their data (e.g., cache, cookies of Android default browser) to steal sensitive user information or change security configurations, and prevent installation of critical system services." The abstract goes on to reveal how the researchers systematically analyzed the source code of PMS using a program verification tool and confirmed the presence of those security flaws on all Android official versions and over 3,000 customized versions. The research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries.

f7c212e7c088957504f1234117acce30

All of which sounds very nasty indeed, and rather deserving of those 'billions of devices at risk' style headlines, don't you think? Well actually I'm not so sure, and I'm not the only one. Michael Sutton, VP of security research at Zscaler, also wonders if things are as bad as they are written it would seem. He says "The scope and timing of the flaws is limited" continuing "an attacker would be restricted to newly added privileges in a subsequent version of the Android o/s and the attack would occur at a predictable time - during the update process." Sure, given the broad attack surface presented to the exploit, just about every vendor specific implementation is at risk, and with Android being such a fractured OS any official Google patch is unlikely to resolve the issue across them all for time. However, that attack potential attack window would appear to be so short and restrictive that it's hard to see this vulnerability being exploited across billions of devices as claimed in some headlines. Furthermore, while it is of course something to be taken seriously (like all security flaws) there are mitigation techniques that can be put in place. From the Google side of the coin, it could simply scan all apps to ensure they do not target these pileup flaws before authorising them for release into the Google Play store (as well as fixing the pileup flaw itself, of course). From the user perspective, there are security suites out there which will automatically scan all new app installations, including updates, for anything malicious. There are even apps appearing now, such as the Secure Update Scanner from System Security Labs which claims to scan for and detect any malicious apps exploiting the pileup flaw and guides you to uninstall them.

I've been using two android devices for over 2 years now and have never encountered such a problem. One is a Samsung tablet and the other a Samsung smart phone (just purchased about 6 months ago).

I'll be interested in this, had a few Trojans in the past year. There have been a few false positives, too

Well, its i have never ran onto such situations like that, yesterday i was talking with some of the best experts of Android they told me the just by looking into the permissions of the apps you can safeguard yourself from thousands of viruses. They stressed me on the point that as in the Android ecosystem every application runs in its own sandbox means the application have only access to those resources that you are giving permission for, they urged with me that if you have given an application permission to access my personnel details and at the same time you are using some antivirus inorder to safeguard your personnel data then the antivirus you have installed is just useless because you are the one that has given access to the application to access your personnel data ! So, antivirus is just use less......

So you would think that the antivirus software ishy

the fact that android is an open system means that anyone can look down the hood to look for vulnerabilities. this is a good and a bad thing. Security companies can make a name for themselves and get big it security contracts from identifying many exploits but this also makes the platform safer. androind is young operating system its still evolving.

Well, I don't know why but why it feels like Adnroid security companies are working hard with searching the vulnearablities over the Android device and then shape their security application accordingly?? I remebered last time when some heartbleed flaw was detected an application is firstly made live to check it then the issue was put onto the paper. Sometimes it makes me wonder that ...