22 March 2016, USA : An application that allows users to gain full control—root access—over their Android devices is taking advantage of a security flaw in the Linux kernel that has remained unpatched in Android since its discovery two years ago.
Rooting is a staple of the Android enthusiast world, but it’s also used by would-be attackers and Google just offered a textbook example of this problem. It’s warning of a vulnerability in Android’s Linux-based kernel that lets apps get root access, giving intruders free rein over your device. And this isn’t just a theoretical exercise — Zimperium says it has spotted publicly available apps that make use of the hole.
It wasn’t until Feb. 19 that researchers from a security outfit called C0RE Team notified Google that the vulnerability could be exploited on Android in order to achieve privilege escalation—the execution of code with the privileges of the root account.
Google started working on a patch that was scheduled to be included in a future monthly update, but then on Mar. 15 researchers from mobile security team Zimperium alerted the company that this vulnerability was already being used to root devices.
“Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges,” Google said in an emergency security advisory.
Fixes are coming quickly, at least for some users. If you’re using the AOSP version of Android, you can install a patch right now. You’ll have to wait if you’re using other releases, but a fix is coming in Google’s next monthly security update, which hits April 2nd. The main concerns are that numerous Android manufacturers don’t offer those updates in a timely fashion, or stop updating devices well before their useful lifespans are over. Even if you’re running Android 6.0 Marshmallow, you might be exposed for months if your hardware maker isn’t on the ball.
Meanwhile, users are advised to only download apps from Google Play and to have the Verify Apps setting turned on. Devices that list a security patch level of March 18, 2016 or later are already protected.