Stealth malware sneaks onto Android phones, then “turns evil” when OS upgrades

A new form of Android malware could bypass one of the main warning systems built into Google’s smartphone and tablet OS – allowing malicious apps to ‘sneak’ onto a phone with a relatively innocuous list of ‘Permissions’, then add new, malicious abilities during phone upgrades, according to Indiana University researchers.

For instance, an innocuous looking game or app could remain in place until the phone or network forces an upgrade, and then could suddenly add permissions to access accounts and data within the phone – allowing it to work as a password stealer. The process would happen without the phone user even being aware, according to Cite World.  

The app would install with a low level of permissions (many Android users now inspect the list, as it can include security risks such as reading phone calls or sending premium messages, as reported by WeLiveSecurity here), and thus ‘pass under the radar’, according to CitEWorld’s report.

Writing in a blog post, the Indiana Univesity researchers found that it was possible to install apps with either no Permisssions – which an app reveals to a user as it installs, such as ‘(Access to SD Card) – or a few, innnocuous ones, then add more sinister functions when the operating system is upgraded.

On many Android phones, OS upgrades are pushed out by operators when available, and users are urged to update to the newest version for security reasons.

However, the Indiana University researchers found that, while the OS upgrade may well fix security loopoles, quietly upgrading the Permisssions of an unknown app may allow malware near-complete control of the device Any OS upgrade allows apps, “to automatically acquire significant capabilities without users’ consent once they upgrade to newer versions,” the researchers wrote.

The researchers warn that the flaw affects ALL Android users worldwide, regardless of the age of their handset.

According to Threatpost‘s report, the flaw involves the Package Management System which Google uses to update apps. When dealing with older versions of Google’s OS, the software impoperly vets the privileges selected by apps, the site reported.

The researchers write, “Such capabilities include automatically obtaining all new permissions added by the newer version OS, replacing system-level apps with malicious ones, injecting malicious scripts into arbitrary webpages, etc. We call these vulnerabilities Pileup flaws (privilege escalation through updating). In total, we discovered six Pileup flaws in the code of Android OS. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are actually encouraged to update their systems.”

Many apps – such as Facebook’s, have come under fire for Permissions which alter after the app has been installed. For instance, Facebook now requires the ability to turn a smartphone’s Wi-Fi connection on and off, as reported by We Live Security here. Most have innocent explanations,   A video showing

Protecting against apps which ask for further permissions after install is difficult. Apps built to go online update frequently, for perfectly valid security reasons – and often without alerting the users, at least not as clearly as the alerts on Android’s built-in Permissions menu.

“As Facebook users have noted over the last few weeks, for example, their Android app is now demanding access to SMS / MMS, calendar events, and WiFi control,” commented The Register.

Google’s solution for this was withdrawn rapidly, and a rash of new apps, including one supported by antivirus veteran John McAfee, aims to fill what usrs feel is a gap in Google’s OS.  It’s relatively common for seemingly innocuous apps to hide malicious functions in the “permissions” screen – a list of data which the app requires access to.

A We Live Security guide to spotting ‘bad’ apps from good can be found here.

Author , We Live Security

  • gisabun

    A lot of this wouldn’t be happening if Google’s Play checked what permissions are being asked. For example, does a flashlight app need access to your contacts? Check if WiFi is on? Does a vide player need access to your contacts?

  • Gridlock

    Fun question.
    “If GOOGLE’s ANDROID software is buggy and filled with security holes… just how secure are their web servers and for that matter their insanely creepy centralized GOOGLE+ spyware operation?”

    Bad programming practices rot both the body and the head at the same time.
    As is the small, so is the giant. The laws of the universe work on the small & large scales. The side effect of lousy programming affects the lowly Android smartphone to the Android tablets and the Chrome browser and the huge server farms of GOOGLE. Remember this, it wll not go away magically just because the current small selection of bugs are being fixed in a giant field swarming with the locusts of programming incompetence.

    • An interesting question, but I’m not convinced that the general level of Google’s programming and systems administration is as low as you’re assuming. Given the sheer size of the operation, exploitable issues are inevitable: that’s not the same as assuming that the company is packed wall-to-wall with idiots.

Follow us

Copyright © 2017 ESET, All Rights Reserved.