Slashdot Mirror

← Back to Stories (view on slashdot.org)

One Billion Android Devices Open To Privilege Escalation

Posted by timothy on from the that's-beeeeeellion dept.

msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Handily enough, the original paper is not paywalled.

3 of 117 comments (clear)

  1. Android's a Linux by Anonymous Coward · · Score: 0, Flamebait

    For years here on /., all you heard was "Linux = Secure, Windows != Secure", well... explain what's been going on for nearly a decade Penguins, on your 'invulnerable Linux' once it's the most used OS there is on a given computing platform"

    (Like Windows ia, was, has been, + will be always on PC's & Servers combined over ANY other competing OS)

    * You know - Lines of bullshit you fed people here from your "Open 'SORES'" crew around here, for decades, vs. many 1,000's of occurences over a decade now, like this article's an example of.

    APK

    P.S.=> Oh, yes folks: The torrent of bullshit & downmods of this post are inevitable - I am going to sit back, AND lmao (since no matter WHAT they say, they now have to (& you KNOW I'm going to say it, don't you? Of course) "Eat their WORDS" (lol)...

    ... apk

  2. Re:Researchers from Indiana University and Microso by Celexi · · Score: 1, Flamebait

    A Microsoft research into Android would be highly neutral and non-biased as Microsoft has no direct competition with Android.

  3. Imagine the reverse by mr_mischief · · Score: 1, Flamebait

    Think of all the help Microsoft could get spotting security flaws if Google and Stanford could look through the Windows source whenever they chose.