An application that allows users to gain full control-root access-over their Android devices is taking advantage of a security flaw in the Linux kernel that has remained unpatched in Android since its discovery two years ago.
Advertisement
“This issue is rated as a Critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise”. Interestingly, that vulnerability was patched in 2014, but the update wasn’t pushed to Android devices. After confirmation, an over-the-air notification will then be sent to the device itself, with a prior Android platform update in it. Downloading the “update” will then downgrade the current Android N to the Android 6.0 Marshmallow build. It’s warning of a vulnerability in Android’s Linux-based kernel that lets apps get root access, giving intruders free rein over your device. The emergency patch is not, however, related to reports of a new Stagefright flaw, but is for a known Linux kernel vulnerability that Google was scheduled to fix. Friday’s advisory didn’t identify the app that was exploiting the vulnerability except to say it was publicly available, both within and outside of Play, and worked on Nexus 5 and Nexus 6 phones. The vulnerability comes with the identifier CVE-2015-1805 and Google is already working on a security patch but a couple of security research teams beat Google to discovering the issue and figuring out how it all works.
Google has admitted the existence of the vulnerability in a statement last week. Even so, it wasn’t an issue for Android devices since it wasn’t ported to the Android software.
Google will release a security update in the coming days to Nexus devices, while it will be up to OEMs to implement the fix as soon as possible, the company said.
Meanwhile, users are advised to only download apps from Google Play and to have the Verify Apps setting turned on.
Readers with a vulnerable phone should carefully consider the risks before knowingly installing a rooting app that exploits the flaw. That’s the good news.
Advertisement
As with any updates and downgrades, changing mobile platforms will erase all data in the device, so users will have to make sure to back up all data first before attempting the Android N roll back.
