Researchers from the University of Indiana and Microsoft have released a joint statement, featuring their discovery of a brand new type of Android exploit never seen before on the open black market until now.
By shining a light on a secret method for obtaining permissions without any notifications popping up on the user’s screen, those working on the project were able to prove the existence of a hole so large it affects every single make, model, and version currently operational inside the Android ecosystem.
The fresh hell that Android users now wake up to in the morning has been given the name “Pileup”, which is a pseudeo-acronym for “privilege execution through updating”. In layman’s terms, it refers to the way in which seemingly ordinary apps can be used to exploit a phone or tablet at all levels of the architecture, depending on what updates are released for which apps the person has downloaded onto their device.
“Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep,” the researchers wrote. “This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws.”
This means the more popular apps installed on your device (Angry Birds, Twitter, anything related to birds pretty much), the higher your risk is of running the most up to date and widely used version of the malware designed to turn them into puppets for virus distribution, bonet infrastructure, or remote surveillance.
The researchers listed rough details on how the system works:
“Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version,” the researchers wrote.
Perhaps most surprisingly is that not only does this problem affect all users of legitimate, unmodified builds of Android. Even popular modifications like CyanogenMod and other unofficial variations of the OS are subject to the exact same worries and concerns that users of a stock Galaxy S4 will feel.
This exploit makes no distinction between names or faces — if you are running any kind of Android, this affects you, and you should be highly suspicious of any apps you download until we hear any kind of official word from Google in response to the problem.
So far the company has only told reporters they are releasing a patch for one of the six main vulnerabilities found so far, and have been uncharacteristicaly tight lipped about the issue since the news first broke.