Google Warns Of Vulnerability In Many Android Devices

by CXOtoday News Desk    Mar 23, 2016


Google has warned that millions of Android smartphones and tablets are vulnerable to security attacks. Android usually maintains a monthly security patch schedule, but Google has released an out-of-cycle fix for a serious vulnerability that affects a majority of devices. The company is working on a security update for Nexus devices and has released the patch for other OEMs to implement.

Google has admitted the existence of the vulnerability in a statement last week. The vulnerability is present in all Android releases that are based on Linux kernel version 3.4, or 3.10, or 3.14. Android versions based on Linux kernel 3.18 or higher aren’t affected, Google assures. Most Android 6.0 Marshmallow-based devices run on kinux Kernel v3.18, however, different OEMs often use different Linux kernel versions - thus, it is hard to correlate Android version with kernel version.

 ”An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel,” the note reads.

Google didn’t disclose the name of the app, though it noted that the offending app was available from Google Play as well as third-party sources, and Nexus 6 and Nexus 5 smartphones were affected. 

Google originally intended to patch up the issue with an upcoming security patch, but a third-party security firm was able to abuse the vulnerability on a Nexus 5. Since then, a rooting app for the Nexus 5 and 6 that abuses the vulnerability has been made publicly available.

This issue is rated critical in severity due to its ability to execute arbitrary code “leading to local permanent device compromise.” Google notes that affected users would have to reflash the entire operating system, thereby losing their data, to fix the issue.  In such a scenario, an individual could still be tricked into manually installing the app.

Google will release a security update in the coming days to Nexus devices, while it will be up to OEMs to implement the fix as soon as possible, the company said.