A flaw in the Android operating system may leave many Android phones and tablets vulnerable to attack, including the Samsung Galaxy S5 and Google's own Nexus 5. It's the same flaw that was recently discovered in the Linux kernel, on which Android is based — and a just-released Android "rooting" tool that uses the flaw could make the problem even worse.
Exploiting the flaw on an Android device yields root permissions, or total control of the system. That's not itself malicious, but the exploit could also let attackers remotely download malware, copy the device owner's files and other personal data, disable the device's security apps and create a backdoor for more attacks, according to San Francisco-based security firm Lacoon Mobile Security.
The Linux kernel flaw, designated CVE-2014-3153 by the information-security community, was discovered June 7 by a pseudonymous teenage hacker called Pinkie Pie. Four days later, phone hacker George Hotz, who at age 17 became the first to "unlock" an iPhone, released an Android rooting tool called TowelRoot that uses the kernel flaw.
Hotz has made his tool available for download at TowelRoot.com, and said there that the tool should work on all versions of Android made before June 3. (In an mobile developers' forum, Hotz admitted some Motorola and HTC phones seem to be immune.) In a Lacoon company blog post Monday (June 16), Lacoon vice president Ohad Bobrov warned that the bug used in TowelRoot could also be used for purposes far more nefarious than rooting one's own phone.
The Linux kernel bug affects all Linux kernels up to 3.14.5 and is present in Android 4.4 KitKat and earlier, which means most commercial Android phones are affected. To exploit the bug, attackers would need to trick device owners to install a specially crafted malicious app of the sort commonly found in "off-road" Android app markets.
To protect against this, users should only install Android applications from the Google Play Store and make sure their devices cannot accept software from "unknown sources." A good Android security app might also be able to detect this exploit code in downloaded software.
Samsung's compartmentalization feature Samsung Knox cannot stop apps with this exploit from installing, though Knox will issue an alert, Lacoon CEO Michael Shaulov told security blog Threatpost.