Wednesday 28 September 2022, 16:30 - 17:00
Łukasz Siewierski (Google)
Alec Guertin (Google)
Over-the-air (OTA) updates are a crucial part of the Android operating system. The updates are signed and applied by the operating system, but the process of checking for new updates, downloading the files and handling the user interactions is done by a preinstalled application – an OTA provider. For the operating system's update, the OTA application cannot interfere with the contents of the update in any way. However, to provide lightweight updates to preloaded applications, OTA applications are often also able to download and install applications. Access to these privileges makes OTA applications a potentially interesting target for abuse.
We have identified several cases in which third-party OTA solutions contained code used to secretly download additional apps without user consent during the device's lifetime. This talk covers examples of the problematic additions, the steps we have taken to combat the problem by pre-scanning system images, and the future of the Android OTA ecosystem.
Łukasz is a reverse engineer on the Android Security team at Google, where he takes apart malware and figures out how to stop it from working. Previously he was taking apart security incidents at the .pl domain registry, figuring out how to prevent them from happening in the future. Łukasz likes sharing his knowledge by presenting at conferences, including Kaspersky SAS, Virus Bulletin and RSA Conference.
Alec is a researcher with Google's Android Security team. His primary focus is on detecting and preventing malware and vulnerabilities in pre-installed code. Alec also works on promoting secure development practices and educating engineers on common causes of vulnerabilities. You can find more details of his work on the Android Partner Vulnerability Initiative website or his previous talks at the MOSEC, CARO, DroidCon and Android Developer Summit conferences.