A flaw in the Android operating system may leave many Android phones and tablets vulnerable to attack, including the Samsung Galaxy S5 and Google's own Nexus 5. It's the same flaw that was recently discovered in the Linux kernel, on which Android is based — and a just-released Android "rooting" tool that uses the flaw could make the problem even worse.
Exploiting the flaw on an Android device yields root permissions, or total control of the system. That's not itself malicious, but the exploit could also let attackers remotely download malware, copy the device owner's files and other personal data, disable the device's security apps and create a backdoor for more attacks, according to San Francisco-based security firm Lacoon Mobile Security.
MORE: 30 Best Apps for Rooted Android Phones
The Linux kernel flaw, designated CVE-2014-3153 by the information-security community, was discovered June 7 by a pseudonymous teenage hacker called Pinkie Pie. Four days later, phone hacker George Hotz, who at age 17 became the first to "unlock" an iPhone, released an Android rooting tool called TowelRoot that uses the kernel flaw.
Hotz has made his tool available for download at TowelRoot.com, and said there that the tool should work on all versions of Android made before June 3. (In an mobile developers' forum, Hotz admitted some Motorola and HTC phones seem to be immune.) In a Lacoon company blog post Monday (June 16), Lacoon vice president Ohad Bobrov warned that the bug used in TowelRoot could also be used for purposes far more nefarious than rooting one's own phone.
The Linux kernel bug affects all Linux kernels up to 3.14.5 and is present in Android 4.4 KitKat and earlier, which means most commercial Android phones are affected. To exploit the bug, attackers would need to trick device owners to install a specially crafted malicious app of the sort commonly found in "off-road" Android app markets.
To protect against this, users should only install Android applications from the Google Play Store and make sure their devices cannot accept software from "unknown sources." A good Android security app might also be able to detect this exploit code in downloaded software.
Samsung's compartmentalization feature Samsung Knox cannot stop apps with this exploit from installing, though Knox will issue an alert, Lacoon CEO Michael Shaulov told security blog Threatpost.
Email email@example.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.
The poor quality of tomshardware articles continue to amaze me.
There are legit Android app stores other than Google play. Amazon and Humble Bundle for example. Android users should just use the same precautions as if they were installing software on a Windows PC. Only install software from trusted sources, yes, but Google Play is far from the only trusted source.
It's amazing how every single article like this ends with the same conclusion: leave your default phone settings alone if you don't know exactly what you're doing, yet people still react as if the end of the mobile world is coming. The apocalyptic tone of the title doesn't help.