Google is warning users about a critical security flaw in Android that opens the devices up to attacks that could completely compromise the phones and give attackers persistent control of them.
The vulnerability has been exploited by an app found in the Google Play store, and Google officials said it has been used to root some Nexus 5 devices. The company said that all Android devices that are running kernel versions 3.4, 3.10, or 3.14 are vulnerable to the attack. The bug itself is related to a privilege escalation flaw in the Linux kernel that had been identified and fixed in Linux upstream in 2014, but not in Android.
“This is a known issue in the upstream Linux kernel that was fixed in April 2014 but wasn’t called out as a security fix and assigned CVE-2015-1805 until February 2, 2015. On February 19, 2016, C0RE Team notified Google that the issue could be exploited on Android and a patch was developed to be included in an upcoming regularly scheduled monthly update,” Google’s advisory says.
“On March 15, 2016 Google received a report from Zimperium that this vulnerability had been abused on a Nexus 5 device. Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges.”
Researchers from Zimperium, a mobile security firm in Israel, discovered that the issue affected Android and reported it to Google. Zimperium is the same company that discovered the Stagefright Android vulnerability last year, and while this bug hasn’t gotten the same level of attention as Stagefright, the potential damage is just as frightening.
“This issue is rated as a Critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise,” Google’s advisory says.
The company has sent an update to carriers who sell Android devices, but the onus for pushing out those patched versions of Android falls on the carriers. U.S. carriers have not been particularly quick about deploying those fixes. Google said it is in the process of finalizing a patch for Nexus devices at the moment.