Linux bug renders vulnerable 66% of all Android devices (Update: Google responds)

by: Derek ScottJanuary 21, 2016


Update (1/21): In contrast to Perception Point’s report, Google claims that all Android 5.0 Lollipop devices, including the entire Nexus line, have an extra layer of security called SELinux that would render any exploits of this bug useless. What’s more, most devices running Android 4.4 and earlier use code older than Linux kernel 3.8, meaning they do not contain the bug. This makes the list of affected devices markedly slimmer than the previously reported 66%. They are also issuing a patch that will be required on all devices by March 1, 2016.

Researchers at Perception Point have identified a Linux bug that has existed, unnoticed, for the last four years. This bug can be maliciously exploited on Linux PC’s and servers, but it also affects all Android devices running any version of Android more recent than Jellybean.

The bug, indexed as CVE-2016-0728, arrived on the Linux kernel in version 3.8 and is located in the OS keyring. Researchers were able to create a proof-of-concept exploit that showcased the malicious capabilities of the bug by using it to replace a keyring object with code that was executed by the kernel.

“While the vulnerability has existed since 2012,” said researchers Tuesday, “our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets).”

Android-malwareSee also: Google bans 13 apps that secretly download other malware50

The exploit they demonstrated, and others like it, could give those with physical access to Linux servers root access or let a devious-enough Android app alter core OS functions.  Perception Point is encouraging security teams and developers to examine any affected software and begin producing patches to forfend against attack as quickly as they can.

The good news is that the this bug seems to be obscure enough that the more devious minds prowling the tech world haven’t seemed to pick up on it yet. “Neither [Perception Point] nor the Kernel security team have observed any exploit targeting this vulnerability in the wild,” the researchers said. Since fixes look like they’re going to be made available early next week, we may be able to breathe a sigh of relief. However, sources like Ars Technica are being reminded of the sneaky Linux trojan discovered in 2014 that had been sapping information from governments in 45 different countries for years without anybody noticing.

Linux Shutterstock

If you’re looking for more information regarding the technical nature of this bug, check out the original announcement at Perception Point. If you’re a Linux dev or security expert, we’d definitely be interested in hearing your take on this issue in the comments!

Next: 15 best antivirus Android apps and anti-malware Android apps


    Stagefright 2.0

    • retrospooty

      meh v. 187.

  • Noah Van Tiggel

    An important piece of information was forgotten here… “SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices” So don’t freak out just yet as it currently cannot be exploited on android.

    • Robert Dunn

      But hey, that won’t stop tech blogs from sensationalizing it.

    • Scott Ricketts

      Pfft. Details. Clickbait is far better.

  • John Doe

    Oh … My …God!! The world is coming to an end as we know it .. Run Forrest Run … lmao

  • blabla blabla

    In a time when most devices run 3.4.x…

  • HotelQuebec

    Was hopeful for root exploit for some devices that hasn’t had root for years but:

    1) They run SELinux.

    2) Lollipop runs 3.4 kernel and Kit Kat runs 3.0 kernel so they’re both unaffected by 3.8 kernel exploit.

    3) Can’t even compile the exploit code on the devices since they’re reporting missing keyutil.h.

  • Bur

    New update came in, only old devices are exposed to it (4.4 and lower without the right patch)

  • mrjayviper

    “What’s more, most devices running Android 4.4 and earlier use code older than Linux kernel 3.8”

    so running an older of android has it’s rewards.

  • luminelx64

    Just because this was found out. I bet there are other exploits on Android not yet discovered by the public.