Google detailed the issue in a security advisory published Friday. The exploit actually derives from a much larger bug in the Linux kernel that Android relies on. Google has discovered malicious apps that can exploit the issue to compromise handsets, including some that have made it into the Google Play Store.
Working implementations exist for both the Google Nexus 5 and Nexus 6 devices running on Linux kernel versions 3.4, 3.10 and 3.14. The company was planning to release the update as part of its regular monthly security bulletin but decided to launch it out of schedule after Zimperium Labs researchers found functional attacks in the wild.
Google has since updated its Verify Apps tool for Google Play to prevent the installation of apps that hijack devices and exploit the kernel bug. This should help to protect most users from the issue as the apps must be manually installed from the Play Store, requiring their creators disguise them as legitimate apps or games if they are to be noticed by users.
“Google has become aware of a rooting application using an unpatched local elevation of privilege vulnerability in the kernel on some Android devices,” said Google. “For this application to affect a device, the user must first install it. We already block installation of rooting applications that use this vulnerability — both within Google Play and outside of Google Play — using Verify Apps, and have updated our systems to detect applications that use this specific vulnerability.”
The bug in the Linux kernel was fixed in April 2014 but wasn’t tagged as a security issue. It was only identified as a potential problem in February 2016 when researchers at C0RE Team alerted Google to the damage it could cause on Android. Google has worked since then to patch the serious vulnerability and remove the malicious apps using it from Google Play.
The issue has a “critical” severity rating because it could allow an attacker to gain persistent or permanent access to a device. The creator of a malicious app could remotely run code or access a user’s data, allowing them to dial premium-rate phone numbers and generate money or even commit identity theft. Google strongly encourages all customers accept the update once it becomes available to remain protected.
Nexus owners can now rest at ease but owners of other Android handsets are likely to remain affected for significantly longer. The patch is now available to manufacturers but few companies regularly release updates, regardless of security status. Older devices are unlikely to ever receive a fix, leaving owners at risk of yet another major Android bug.