The researchers penned down the attack’s nature in following words:
The interesting thing is that the attacks are not aimed at the current version of Android, which is normally the case, rather the target is updated future version when malware gains the rights to the information without the consent of the user during the up gradation process. These are “called Pileup flaws, through which a maliciousapp can strategically declare a set of privileges and attributes ona low-version operating system (OS) and wait until it is upgradedto escalate its privileges on the new system.”
The researchers were able to affirm that the issues exist in all “AOSP (Android Open Source Project) versions and 3,522 source code versions customized by Samsung, LG and HTC across the world.” Probing further, they looked into a measurement study on over 3,549 factory images from Google and Samsung and discovered an enormous amounts of “attack opportunities across different Android versions, countries, carriers and vendors.”
Google responded by rolling out patch to vendors for one of the six flaws identified. It’s up to the vendors now to push it to your device as soon as possible. In the same way, Google still needs to find a solution for the remaining five flaws and it needs to do it quickly before a seemingly innocent app can wrack havoc across the Android world.
The researchers developed a free security update scanner app with the name “SecUp” which can be run before any Android update to identify malicious apps that can use Pileup flaws. They have also updated videos to show how these Pileup flaws can be exploited by malicious apps. These videos are available at following Youtube links.
Pileup attack – hacking Google account:
Pileup Attack- Phishing on bank sites:
Pileup Attack – Hacking Google Voice Messages: