Google is warning users about a critical security flaw in Android that opens the devices up to attacks that could completely compromise the phones and give attackers persistent control of them.
The vulnerability has been exploited by an app found in the Google Play store, and Google officials said it has been used to root some Nexus 5 devices. The company said that all Android devices that are running kernel versions 3.4, 3.10, or 3.14 are vulnerable to the attack. The bug itself is related to a privilege escalation flaw in the Linux kernel that had been identified and fixed in Linux upstream in 2014, but not in Android.
“This is a known issue in the upstream Linux kernel that was fixed in April 2014 but wasn’t called out as a security fix and assigned CVE-2015-1805 until February 2, 2015. On February 19, 2016, C0RE Team notified Google that the issue could be exploited on Android and a patch was developed to be included in an upcoming regularly scheduled monthly update,” Google’s advisory says.
“On March 15, 2016 Google received a report from Zimperium that this vulnerability had been abused on a Nexus 5 device. Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges.”
Researchers from Zimperium, a mobile security firm in Israel, discovered that the issue affected Android and reported it to Google. Zimperium is the same company that discovered the Stagefright Android vulnerability last year, and while this bug hasn’t gotten the same level of attention as Stagefright, the potential damage is just as frightening.
“This issue is rated as a Critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise,” Google’s advisory says.
The company has sent an update to carriers who sell Android devices, but the onus for pushing out those patched versions of Android falls on the carriers. U.S. carriers have not been particularly quick about deploying those fixes. Google said it is in the process of finalizing a patch for Nexus devices at the moment.
Written by: Mike Yang
Recent Posts
- 7 Call Center Trends We Expect to See Throughout 2024
- 5 Tips for Improving Contact Center Productivity
- Pindrop’s ICASSP 2024 paper shows how room acoustics can enhance liveness detection
- Pindrop® Pulse, First to Accurately Detect Deepfakes from OpenAI’s Voice Engine
- 4 Top Cybersecurity Trends Discovered From Our Recent CFX Event