The pileup (privilege escalation through updating) flaw allows Malware to upgrade its privileges with the system update.
“An malicious app can strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system. Specifically, we found that by exploiting the Pileup vulnerabilities, the app can not only acquire a set of newly added system and signature permissions but also determine their settings (e.g., protection levels), and it can further substitute for new system apps, contaminate their data (e.g., cache, cookies of Android default browser) to steal sensitive user information or change security configurations, and prevent installation of critical system services.” the report said.
this can allow Malicious apps to get permission to access voicemails, text messages, call logs and other apps which may also let the Malware decide what updates and permission should be allowed to any other app installed on the device.
Researchers said that all the Official versions and over 3000 customized version of the Android are effected by the flaw,
We systematically analyzed the source code of PMS using a program verification tool and confirmed the presence of those security flaws on all Android official versions and over 3,000 customized versions. Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries.
The flaws has already been reported to the Google, and measures are being taken to fix it.