Android Rooting Application Emergency Patch

A rooting application has been found in the wild targeting Nexus mobile devices using a local privilege escalation vulnerability patched two years ago in the Linux kernel that remains unpatched in Android.

Researchers at Zimperium, the same company that discovered last summer’s Stagefright flaws affecting Android, privately disclosed to Google last Tuesday they found an application that had been used to root a Nexus 5 device. This news came a little less than a month after researchers at CORE Team reported to Google that CVE-2015-1805, which was addressed in the Linux kernel in 2014, also affected Android devices.

The discovery of the rooting application—Google said the exploit was not malicious—prompted Google to push out emergency patches to its partners last Wednesday, and updates for Nexus devices. Partner patches are subject to carriers and handset manufacturers pushing the fixes to customer devices.

Google said in an advisory published last Friday that all Android devices on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable. Android devices using Linux kernel version 3.18 or higher are not vulnerable.

“This issue is rated as a critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise,” Google said.

Rooting applications are particularly dangerous, not only because they are spread usually via Trojanized applications, but because they give their respective payloads system-level persistence.

Zimperium founder and CTO Zuk Avraham called the vulnerability being exploited by this particular rooting app “quite generic,” and said that it could be chained with other exploits to gain deeper penetration onto a device.

“It allows for consistent elevation of privilege, so anyone with malicious intentions with code execution already on a device and wants higher code execution, could use it to get access to the microphone or camera, or read email, anything like that,” Avraham said. “But you do need an initial code execution vulnerability or a presence on the device like an app for example. Then you can use this exploit, which is quite generic, and gain kernel privileges on the device.”

Avraham said this flaw was able to generate a payload on a device with a March 1, 2016 patch level, the most up to date patch level. He said the rooting app was spreading on an outside Android market away from Google’s Google Play marketplace.

Google said Google Play already blocks rooting applications by default, and that this particular rooting application if downloaded and manually installed from outside Google Play will also be blocked by Google’s Verify Apps tool. Verify Apps, the former Bouncer, scans apps in Google Play for harmful behaviors and warns users not to install them if they’re deemed dangerous.

“Verify Apps has been updated to block the installation of applications that we have learned are attempting to exploit this vulnerability both within and outside of Google Play,” Google said in its advisory.

Since rooting applications are banned from Google Play, an attacker would have to somehow convince a victim to manually install the app.

Google said users can check the patch levels of their phone to determine whether they are vulnerable to these attacks; devices with a security patch level of March 18, 2016 or April 2, 2016 are not vulnerable, Google said.

This news comes days after the disclosure of new exploits targeting vulnerabilities in libstagefright called Metaphor, which uses malicious video files in two stages, to exploit Nexus 5, LG G3, HTC One and Samsung Galaxy S5 handsets. The first video checks for the presence of the particular Stagefright flaw, and the second exploits the bug if it’s present on the device. The attack gives attackers remote control over the Android device.