We have had cases of bricked devices in the past, some due to bugs and viruses while others due to faulty apps. Things were still on the brighter side until recently, new bugs are discovered for Android platform.
Newspeak
Reportedly, six new bugs were uncovered in Google’s Android platform and this shows how vulnerable the operating system is. One of the bug causes memory corruption on Android 4.2.2, 4.3 and 2.3 and it is highly like that it is capable of effecting all versions of Android. According to researchers from Indiana University and Microsoft, the new class of Android vulnerabilities is called Pileup flaws. Their paper slates that Pileup escalates the installation permissions to malicious apps without informing the user. Pileup stands for ‘privileged escalation through updating’ and the process is triggered once the Android software is updated.
The report says that with the release of an update frequently, numerous files are added to the existing system. This increases the susceptibility of the device software to security flaws and it eventually damages the existing apps. And for each app, the attributes and privileges are configured separately without causing any damage to the existing user data. To top it all, the Android user interface is against popping security prompts for new permissions and instead auto configures new apps & updates in the background. The user does not have any authority on this automated action by the OS. Though the feature is for the sake of convenience, the price we pay for it is significantly effective.
Six different Pileup vulnerabilities were uncovered within the Android Package Management Service (PMS). It has been claimed that these vulnerabilities are present in all Android Open Source Project (AOSP) versions, including the customized versions developed by individual manufacturers and carriers which is a figure more than 3500. Apparently, this makes billions of Android devices across the globe vulnerable to Pileup attack.
Source
The first encounter with vulnerability was reported on 16th March, by a user named Ibrahim Balic. Like I mentioned earlier, this bug corrupts the memory and force the OS to crash. He added that he tried to upload one such application, which is capable of triggering such a bug, to Google Play but this crashed the whole service, making it unavailable for other users.
Status
Talks are going on about the possibility of cybercriminals trying to inflict damage on Android devices. Researchers are still working on decoding more details on the case. Google has been reported about the cases regarding vulnerabilities but they have refrained from commenting till now. Recently, Google released a patch for one of the six errors sent it to a few vendors but a fully fledged remedy is still not on news.
In the meantime, researchers have launched a new scanner called SecUP that detects the presence of malicious apps and malwares. It validates the source code for the same from different Android versions. More info will definitely come out, so let’s wait and watch.