Google is warning of a just-patched security hole in Android that could allow an innocent-looking app to take over your device completely.
The flaw, dubbed CVE-2015-1805, was found in the Linux kernel around the middle of 2015 and promptly patched in most Linux distributions.
For some reason, it seems that Android, which sort of is-and-isn’t a Linux distro, didn’t implement the fix.
In other words, Android devices remained vulnerable long after their server and desktop Linux counterparts were patched.
Escaping from the sandbox
Android apps are, generally speaking, kept safe from each other thanks to a number of “least privilege” security techniques, such as running each app as a different user.
This means that Android apps can’t get access to each other’s data, accidentally or deliberately, which is a much stricter situation than exists on most desktop computers, whether they’re Windows, Linux or OS X.
For example, on your laptop, you usually login and run all your applications under your own user account: that’s great for productivity, but not so great if you are attacked by ransomware, because one infected program can usually wipe out data from all your other programs in one shot.
However, even though Android apps are kept apart, it’s a different story in the kernel, which manages that app separation in the first place.
If you can subvert the kernel itself, then you as good as control the security of the system as a whole.
And if you can subvert the kernel by triggering a kernel-land vulnerability from an unprivileged user-land program, you have achieved the ultimate elevation of privilege (EoP) exploit.
Understanding vulnerabilities
(Audio player above not working? Download, or listen on Soundcloud.)
In particular, if you can take over the Android kernel, you can root the device.
Rooting, like jailbreaking on Apple devices, is where you escape from the restrictions imposed by Google to gain full administrative power. (The admin account is called root on Linux and Unix, thus rooting the device.)
Like jailbreaking, rooting can be used for good, allowing you more control over your own device.
But in the wrong hands, rooting it can be dangerous, especially if an app keeps quiet about having escaped from Google’s security sandboxes and goes on to steal your data.
Rooting apps
Many rooting apps are quite overt about their functionality, and many people choose to use them to tweak and improve their phones.
By rooting, they can install apps that their device vendor doesn’t usually allow, or even to install security updates that their vendor has failed to provide.
But Google doesn’t allow rooting apps in the Google Play Store, so that if you keep the “Allow apps from unknown sources” option turned off, you ought to be safe from an unexpected takeover of your phone.
That’s where CVE-2015-1805 comes in: apparently, apps that use this vulnerability have made it into the Play Store, presumably because Google failed to spot the trickery they used to get root-level access.
Google says that as well as providing the kernel patch at last, it has also beefed up its automated app verification system to try to keeps apps that exploit CVE-2015-1805 out of Google Play.
What to do?
- Patch early, patch often. Keep your eye out for patches from your device vendor or service provider.
- Insist on patches. If your vendor doesn’t provide timely updates, consider switching devices. (How to judge whether your new vendor will be better at patching is beyond the scope of this article.)
- Stick to Google Play as much as you can. The Play Store is far from perfect, as this story shows, but Google at least tries to verify the apps it accepts, so it’s much safer than many of the “free for all” Android markets out there.
- Consider an Android anti-virus. Security apps like Sophos Free Anti-Virus and Security not only help you keep malicious apps out, but also protect you from unsafe download sites and low-reputation apps that might be a security risk even if they aren’t overtly malicious.
Image of phone courtesy of Shutterstock.
Steve
Will apps that were already accepted in the Play Store be checked for this exploit?
Paul Ducklin
You’d like to think so…