Hardly a week goes by without yet another press release hitting the desk of your technology journalist, or research flag being raised amongst the IT Security profession, that claims Android is insecure. What Android actually is, just like Windows on the desktop in fact, is a big and attractive target; which in turn makes it the focus of attention for those looking to exploit mobile device vulnerabilities. The bad guys will pour their resources, in terms of both time and money, into discovering and exploiting those vulnerabilities which will present them with the best profit making potential. That, dear reader, is a truism.
The latest such vulnerability to appear on the media radar as far as Android is concerned has been the discovery of a 'privilege escalation flaw' that, according to the headlines at any rate, has the potential to 'leave billions of devices vulnerable to malware attack'. How much of a truism is that, I wonder?
The fact that the privilege escalation vulnerability exists is not in any doubt, despite it being uncovered by Indiana University researchers working in conjunction with Microsoft Research. Just because 'the enemy' (as Microsoft, along with Apple, is oft-perceived when talking about mobile platforms) finds fault does not mean that fault is non-existent. If you want to check out the technical details for yourself, then go read 'Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating' which explains all in some sixteen pages of gloriously geeky detail.
The long and the short of it, however, can be found in the abstract which explains how, with Android being a fast-evolving system that has new updates coming out in quick succession that often completely overhaul the OS with tens of thousands of files being replaced or added across the complex Android architecture, there are measures in place to prevent accidental damage to apps and critical user data. These include the use of complicated program logic, and it was this that the researchers systematically studied from a security viewpoint. Focusing on the Package Management Service (PMS) of the Android update system, the research found a new type of security-critical vulnerability, which the team responsible named pileup flaws. By exploiting these pileup flaws, the researchers say, a malicious app can "strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system." Specifically, the researchers found that by exploiting the pileup vulnerabilities, the app can "not only acquire a set of newly added system and signature permissions" but also determine their settings. The paper reveals how such a malicious app can "further substitute for new system apps, contaminate their data (e.g., cache, cookies of Android default browser) to steal sensitive user information or change security configurations, and prevent installation of critical system services." The abstract goes on to reveal how the researchers systematically analyzed the source code of PMS using a program verification tool and confirmed the presence of those security flaws on all Android official versions and over 3,000 customized versions. The research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries.
All of which sounds very nasty indeed, and rather deserving of those 'billions of devices at risk' style headlines, don't you think? Well actually I'm not so sure, and I'm not the only one. Michael Sutton, VP of security research at Zscaler, also wonders if things are as bad as they are written it would seem. He says "The scope and timing of the flaws is limited" continuing "an attacker would be restricted to newly added privileges in a subsequent version of the Android o/s and the attack would occur at a predictable time - during the update process." Sure, given the broad attack surface presented to the exploit, just about every vendor specific implementation is at risk, and with Android being such a fractured OS any official Google patch is unlikely to resolve the issue across them all for time. However, that attack potential attack window would appear to be so short and restrictive that it's hard to see this vulnerability being exploited across billions of devices as claimed in some headlines. Furthermore, while it is of course something to be taken seriously (like all security flaws) there are mitigation techniques that can be put in place. From the Google side of the coin, it could simply scan all apps to ensure they do not target these pileup flaws before authorising them for release into the Google Play store (as well as fixing the pileup flaw itself, of course). From the user perspective, there are security suites out there which will automatically scan all new app installations, including updates, for anything malicious. There are even apps appearing now, such as the Secure Update Scanner from System Security Labs which claims to scan for and detect any malicious apps exploiting the pileup flaw and guides you to uninstall them.