Android rooting bug opens Nexus phones to “permanent device compromise”

Millions of Android phones, including the entire line of Nexus models, are vulnerable to attacks that can execute malicious code and take control of core functions almost permanently, Google officials have warned.

The officials have already uncovered one unidentified Google Play app that attempted to exploit the vulnerability, although they said they didn't consider the app to be doing so for malicious purposes. They are in the process of releasing a fix, but at the moment any phone that hasn't received a security patch level of March 18 or later is vulnerable. The flaw, which allows apps to gain nearly unfettered "root" access that bypasses the entire Android security model, has its origins in an elevation of privileges vulnerability in the Linux kernel. Linux developers fixed it in April 2014 but never identified it as a security threat. For reasons that aren't clear, Android developers failed to patch it even after the flaw received the vulnerability identifier CVE-2015-1805 in February 2015.

"An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel," an Android security advisory published Friday stated. "This issue is rated as a critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system."

Google officials went on to say they are aware of at least one application that was available both within and outside of the official Play market place that exploited the vulnerability. Many users willingly install such rooting apps to give their phones capabilities that wouldn't be possible otherwise. Still, as Ars reported in October, the root exploits pose a danger to the entire Android user base, even when used openly by app developers to provide added functionality. Late last year, researchers from security firm Lookout found malicious apps available in a third-party market that exploited unpatched rooting vulnerabilities to make them extremely difficult for average users to uninstall.

Google said its Play marketplace prohibits rooting apps. Company officials also attempt to curb the installation of such apps available in other forums through use of the verify apps feature. Friday's advisory didn't identify the app that was exploiting the vulnerability except to say it was publicly available, both within and outside of Play, and worked on Nexus 5 and Nexus 6 phones.

The vulnerability is present in all Android releases that use Linux kernel versions 3.4, 3.10, and 3.14. That includes all Nexus phones, as well as a large number of handsets marketed under major manufacturer brands. Android releases that use kernel versions 3.18 or higher aren't susceptible.

Readers with a vulnerable phone should carefully consider the risks before knowingly installing a rooting app that exploits the flaw. They should also avoid apps available in third-party marketplaces, since they are more likely to host apps that exploit the vulnerability maliciously and without warning, and be on the lookout for updates in the coming weeks or months that patch the underlying security hole. The good news is that the flaw requires a local exploit, making remote drive-by Web attacks infeasible if not impossible.

Post updated on March 23 to correct where malicious apps found by Lookout were located. They were in a third-party market.