Indiana University Bloomington Indiana University Bloomington IU Bloomington

IU informatics team's award-winning Android app heads to premier tech security event

Secure Update Scanner, which counters Google OS upgrade flaws, honored at national security competition

  • May 15, 2014

FOR IMMEDIATE RELEASE

BLOOMINGTON, Ind. -- Indiana University information security expert XiaoFeng Wang recognizes that people believe their mobile devices should become more secure after they install a recommended operating system upgrade. So what could be more dangerous than a malicious app that exploits the very updating mechanism needed for the operating system upgrade?

Wang, an associate professor of informatics and computer science at IU Bloomington’s School of Informatics and Computing, and his students have labeled the malicious apps that exploit vulnerabilities in almost all versions of Android operating systems as “pileup” flaws, and they’ve found six weaknesses in how Google operating systems install upgrades.

The weaknesses allow a mobile device to acquire new capabilities, without the owner’s permission, once the upgrade is in place. Those capabilities include automatically obtaining all new permissions added by the newer version of the operating system, replacing system-level apps with malicious ones, and injecting malicious scripts into arbitrary Web pages. In all, the team confirmed those problems in all versions of Android Open Source Project and in 3,522 source code versions customized by Samsung, LG and HTC across the world. 

But rather than simply identify the problem, the researchers also created a Secure Update Scanner app that helped the team win a top prize at the National Homeland Defense Foundation’s annual National Security Technology Competition last month in Colorado Springs, Colo. The team finished third behind the University of Rhode Island (Safe Training Aids for Bomb-Sniffing Dogs) and Florida Institute of Technology (VINE: A Cyber Emulation for Advanced Experimentation and Training).

The new security app has already been downloaded over 60,000 times by mobile users in 163 countries. A video demonstrating one type of attack -- eavesdropping on your Google Voice messages after an operating system update -- has helped users understand the problem more clearly, Wang said.

The app and those problematic pileup flaws will also be the topic during presentations the team makes at next week’s 35th IEEE Symposium on Security and Privacy, the world’s premiere forum for the presentation of computer security and electronic privacy developments. The event is hosted by the Institute of Electrical and Electronics Engineers, the world’s largest professional association for the advancement of technology.

“The consequences of these stealth attacks are dire, depending on the exploit opportunities on different Android devices,” Wang said. “It exists on every Android device and there are over 1 billion Android users.”

The team found that, depending on what Android version is in use, the upgrade could allow unprivileged malware to get permissions for accessing voicemails, user credentials, call logs or notifications of other apps; sending SMS; or starting any activity regardless of permission protection or export state. The malware can also gain complete control of new signature and system permissions, lower their protection levels to “normal” and arbitrarily change descriptions the user needs to read when deciding whether to grant them to an app.

“It can even replace the official Google Calendar app with a malicious one to get the phone user’s events, drop JavaScript code in the data directory to be used by the new Android browser so as to steal the user’s sensitive data, or prevent someone from installing critical system apps such as Google Play Services,” Wang said.

The team’s Secure Update Scanner app is available at Google Play, Amazon AppStore for Android and other app stores, and it’s easy to install and use:

  1. On your Android device, open the Google Play Store.
  2. Search for Secure Update Scanner.
  3. Locate and tap the entry by System Security Lab.
  4. Tap Install.
  5. Tap Accept.
  6. Allow the installation to complete.

You can then run the app from your home screen or from the application drawer. When you first run it, just tap “Okay, I got it” at the welcome screen that explains the app and you’ll then be given the results of the scan.

In addition to Wang, the research team includes Ph.D. students Luyi Xing, Xiaorui Pan and Kan Yuan, along with Rui Wang, a former Ph.D. student of Wang’s who is now at Microsoft. All are co-authors on the paper, “Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating,” which will be presented at the IEEE Symposium on Security and Privacy, May 18 to 21, in San Jose, Calif.

Related Links

Print
From left, National Homeland Defense Foundation president Ed Anderson; IU Ph.D. student Luyi Xing; IU associate professor of informatics and computing XiaoFeng Wang; and Marc Dippold of Leidos, a national security consulting company that supported the competition in which IU finished third.

From left, National Homeland Defense Foundation president Ed Anderson; IU Ph.D. student Luyi Xing; IU associate professor of informatics and computing XiaoFeng Wang; and Marc Dippold of Leidos, a national security consulting company that supported the competition in which IU finished third. | Photo by National Homeland Defense Foundation

Print-Quality Photo

Secure Update Scanner logo

Print-Quality Photo

Media Contacts

Stephen Chaplin

Manager of Research Communications

 

    Related Stories