Android malware loaded with Linux kernel privilege escalation exploit

Malware authors are notorious for quickly leveraging new exploits in the public domain for nefarious purposes. A recently discovered Linux kernel Local privilege escalation exploit, which allows attackers to gain complete control of infected devices, has been ported to the Android smartphone platform.

The Linux kernel 2.6.x, including Red Hat Enterprise Linux 6, Ubuntu 12.04 LTS, Debian 6 and Suse Enterprise Linux 11 are vulnerable to privilege escalation flaw with CVE-2013-2094.

CVE-2013-2094 states, “The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.”

Exploit for Linux machines is publically available here. Privilege escalation exploits are particularly dangerous as they can allow cybercriminals to gain complete control over the compromised device.

The exploit can be used to to access data from other applications, prevent users from uninstalling the malware, and make it possible for the attackers to send premium rate text messages from the handset.

Symantec said, “The Android operating system normally sandboxes every application so they cannot perform sensitive system operations or interfere with other installed applications. In the past, we have seen malware use privilege escalation exploits to access data from other applications, prevent uninstall, hide themselves, and also bypass the Android permissions model to enable behaviors such as sending premium SMS messages without user authorization.”

A majority of malicious mobile apps are fake or rogue apps that claim to have some function but will also contain malicious behaviors that run without users’ knowledge. Because there is no patch available yet for this flaw, so we recommend users to download apps from reputable marketplaces only.