A new form of Android malware could bypass one of the main warning systems built into Google’s smartphone and tablet OS – allowing malicious apps to ‘sneak’ onto a phone with a relatively innocuous list of ‘Permissions’, then add new, malicious abilities during phone upgrades, according to Indiana University researchers.
For instance, an innocuous looking game or app could remain in place until the phone or network forces an upgrade, and then could suddenly add permissions to access accounts and data within the phone – allowing it to work as a password stealer. The process would happen without the phone user even being aware, according to Cite World.
The app would install with a low level of permissions (many Android users now inspect the list, as it can include security risks such as reading phone calls or sending premium messages, as reported by WeLiveSecurity here), and thus ‘pass under the radar’, according to CitEWorld’s report.
Writing in a blog post, the Indiana Univesity researchers found that it was possible to install apps with either no Permisssions – which an app reveals to a user as it installs, such as ‘(Access to SD Card) – or a few, innnocuous ones, then add more sinister functions when the operating system is upgraded.
On many Android phones, OS upgrades are pushed out by operators when available, and users are urged to update to the newest version for security reasons.