A new form of Android malware could bypass one of the main warning systems built into Google’s smartphone and tablet OS - allowing malicious apps to ‘sneak’ onto a phone with a relatively innocuous list of ‘Permissions’, then add new, malicious abilities during phone upgrades, according to Indiana University researchers.

For instance, an innocuous looking game or app could remain in place until the phone or network forces an upgrade, and then could suddenly add permissions to access accounts and data within the phone - allowing it to work as a password stealer. The process would happen without the phone user even being aware, according to Cite World.  

The app would install with a low level of permissions (many Android users now inspect the list, as it can include security risks such as reading phone calls or sending premium messages, as reported by WeLiveSecurity here), and thus ‘pass under the radar’, according to CitEWorld’s report.

Writing in a blog post, the Indiana Univesity researchers found that it was possible to install apps with either no Permisssions - which an app reveals to a user as it installs, such as ‘(Access to SD Card) - or a few, innnocuous ones, then add more sinister functions when the operating system is upgraded.

On many Android phones, OS upgrades are pushed out by operators when available, and users are urged to update to the newest version for security reasons.

However, the Indiana University researchers found that, while the OS upgrade may well fix security loopoles, quietly upgrading the Permisssions of an unknown app may allow malware near-complete control of the device Any OS upgrade allows apps, “to automatically acquire significant capabilities without users’ consent once they upgrade to newer versions," the researchers wrote.

The researchers warn that the flaw affects ALL Android users worldwide, regardless of the age of their handset.

According to Threatpost's report, the flaw involves the Package Management System which Google uses to update apps. When dealing with older versions of Google's OS, the software impoperly vets the privileges selected by apps, the site reported.

The researchers write, “Such capabilities include automatically obtaining all new permissions added by the newer version OS, replacing system-level apps with malicious ones, injecting malicious scripts into arbitrary webpages, etc. We call these vulnerabilities Pileup flaws (privilege escalation through updating). In total, we discovered six Pileup flaws in the code of Android OS. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are actually encouraged to update their systems.”

Many apps - such as Facebook’s, have come under fire for Permissions which alter after the app has been installed. For instance, Facebook now requires the ability to turn a smartphone’s Wi-Fi connection on and off, as reported by We Live Security here. Most have innocent explanations,   A video showing

Protecting against apps which ask for further permissions after install is difficult. Apps built to go online update frequently, for perfectly valid security reasons - and often without alerting the users, at least not as clearly as the alerts on Android’s built-in Permissions menu.

“As Facebook users have noted over the last few weeks, for example, their Android app is now demanding access to SMS / MMS, calendar events, and WiFi control,” commented The Register.

Google’s solution for this was withdrawn rapidly, and a rash of new apps, including one supported by antivirus veteran John McAfee, aims to fill what usrs feel is a gap in Google’s OS.  It’s relatively common for seemingly innocuous apps to hide malicious functions in the “permissions” screen - a list of data which the app requires access to.

A We Live Security guide to spotting ‘bad’ apps from good can be found here.