January 21, 2016
11

Android-malware

Update (1/21): In contrast to Perception Point’s report, Google claims that all Android 5.0 Lollipop devices, including the entire Nexus line, have an extra layer of security called SELinux that would render any exploits of this bug useless. What’s more, most devices running Android 4.4 and earlier use code older than Linux kernel 3.8, meaning they do not contain the bug. This makes the list of affected devices markedly slimmer than the previously reported 66%. They are also issuing a patch that will be required on all devices by March 1, 2016.

Researchers at Perception Point have identified a Linux bug that has existed, unnoticed, for the last four years. This bug can be maliciously exploited on Linux PC’s and servers, but it also affects all Android devices running any version of Android more recent than Jellybean.

The bug, indexed as CVE-2016-0728, arrived on the Linux kernel in version 3.8 and is located in the OS keyring. Researchers were able to create a proof-of-concept exploit that showcased the malicious capabilities of the bug by using it to replace a keyring object with code that was executed by the kernel.

“While the vulnerability has existed since 2012,” said researchers Tuesday, “our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets).”

See also:

Google bans 13 apps that secretly download other malware

January 8, 2016

The exploit they demonstrated, and others like it, could give those with physical access to Linux servers root access or let a devious-enough Android app alter core OS functions.  Perception Point is encouraging security teams and developers to examine any affected software and begin producing patches to forfend against attack as quickly as they can.

The good news is that the this bug seems to be obscure enough that the more devious minds prowling the tech world haven’t seemed to pick up on it yet. “Neither [Perception Point] nor the Kernel security team have observed any exploit targeting this vulnerability in the wild,” the researchers said. Since fixes look like they’re going to be made available early next week, we may be able to breathe a sigh of relief. However, sources like Ars Technica are being reminded of the sneaky Linux trojan discovered in 2014 that had been sapping information from governments in 45 different countries for years without anybody noticing.

Linux Shutterstock

If you’re looking for more information regarding the technical nature of this bug, check out the original announcement at Perception Point. If you’re a Linux dev or security expert, we’d definitely be interested in hearing your take on this issue in the comments!

Next: 15 best antivirus Android apps and anti-malware Android apps

Show 11 comments