Greetz from academe: Will research for food


John Aycock

University of Calgary, Canada
Editor: Martijn Grooten


In the last of his ‘Greetz from academe’ series, highlighting some of the work going on in academic circles, John Aycock looks at change in the form of Android update flaws, as well as spare change under the guise of academic funding.

Table of contents

This is the 13th ‘Greetz from Academe’ article, which happens to coincide with Virus Bulletin ceasing to be published in a traditional magazine format. Since VB is undergoing change, it seems fitting for my final instalment to focus on change as well.

I’ll begin with updates, since they introduce all manner of change to a system. In a previous ‘Greetz’ [1], I featured a research paper that dissected anti-virus updates and found a number of worrying problems. Happily, there seem to be more than enough updating flaws to go around, and anti-malware products aren’t in the cross hairs this time – instead, it’s Google’s turn. Xing et al.’s paper on mobile OS privilege escalation [2] appeared in the recent IEEE Symposium on Security and Privacy, a very well-respected security venue.

The researchers delved into what happens when Android devices are updated, and in particular the behaviour of the Android Package Management Service that oversees the updating process. In other words, the Package Management Service – which the paper’s authors insist on abbreviating to ‘PMS’ – is responsible for periodic software bloat. Make your own inappropriate joke here; it’s simply too easy.

Naturally, it would not be a good thing for user data to be lost, or user-installed apps to break, when an update occurs. PMS thus contains some elaborate logic in an attempt to make changes painless but, as the researchers discovered, some loopholes exist that can be exploited by an attacker. Patience is a virtue, and that idea underlies the various possible attacks. An attacker who can get a malicious app installed on a device (these attacks can all pass through third-party app markets, and most of them work on Google Play as well) simply needs to wait.

In one attack, for example, the malicious app claims carefully chosen privileges that have no special meaning on the Android version on which it is installed; when the Android device is updated, however, and those privileges now happen to be needed by a critical system component, PMS handles the conflict by silently giving the malicious app the system-level permission. PMS is, in effect, the Neville Chamberlain of the Android world, trying desperately to appease apps and keep them functional. This example is but one of many updating flaws the researchers uncovered, both in the Google-sanctioned Android versions and in thousands of custom vendor builds. The problems have been reported to Google, whose developers are working on fixing them, but the reality is that it will take a very long time for fixes to trickle out to all affected devices.

Fermat famously scribbled that he had a clever proof of his Last Theorem that was too large to fit in the margin. Looking at the margins of my copy of Xing et al.’s paper, they are nearly too small to contain all the stars and exclamation points with which I marked interesting points while reading it. It’s a good paper. The authors could have stopped after explaining all the flaws, and it would still be a good paper, but in fact they went further and developed a tool to help find these so-called ‘Pileup’ update flaws, which is publicly available [3]. They make the interesting claim there that ‘Generic security apps (e.g. Lookout, Avast!, Norton, etc.) cannot be easily tuned to detect Pileup threats.’ That sounds to me like a challenge.

From updates as change, I’ll turn to the topic of change in the sense of spare change: academic research funding. One of my goals in writing this column was to help bridge the gap between industry and academia, and along the way I’ve tried to explain what the world looks like from the academic point of view. It would be remiss of me not to mention research funding. One reason I went into academia is that I enjoy both teaching and research, yet a disproportionate amount of my time is spent doing neither of those, but instead worrying about getting the money to pay for research. The thing that may be surprising to readers is the scale, because amounts of money that would be lost in the noise on a corporate balance sheet can go quite far in academic research. For anyone in industry who finds themselves awash with what they consider small change, become a patron for an academic researcher. I, for one, would be happy to go all Renaissance in the tradition of da Vinci and Mozart, dedicating my works to the greater glory of CorporateEntity, if it meant I could get real work done!

I hope ‘Greetz from Academe’ has been both entertaining and enlightening over the last 13 months; thanks for reading.


[1] Aycock, J. Greetz from Academe: Full Frontal. Virus Bulletin, February 2014, p.30.

[2] Xing, L.; Pan, X.; Wang, R.; Yuan, K.; Wang, X. Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating. 35th IEEE Symposium on Security and Privacy, 2014.

[3] Pileup Flaws: Vulnerabilities in Android Update Make All Android Devices Vulnerable.



Latest articles:

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.

Decompiling Excel Formula (XF) 4.0 malware

Office malware has been around for a long time, but until recently Excel Formula (XF) 4.0 was not something researcher Kurt Natvig was very familiar with. In this article Kurt allows us to learn with him as he takes a deeper look at XF 4.0.

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.