Android upgrade mechanism brings to light a whole new set of
vulnerabilities pervasively existing in almost all Android versions,
which allow a seemingly harmless malicious app (“unprivileged app” in
the security term) running on a version of Android to automatically
acquire significant capabilities without users’ consent once they upgrade to newer versions!
Such capabilities include automatically obtaining all new permissions
added by the newer version OS, replacing system-level apps with
malicious ones, injecting malicious scripts into arbitrary webpages,
Read full article at mSeclabs:
Vulnerabilities in Android Update Make All Android Devices Vulnerable