A recently disclosed vulnerability in version 3.14.5 of the Linux kernel is also present in most versions of Android and could give attackers the ability to acquire root access on affected devices.
Researchers at Lacoon Mobile Security are calling the bug “TowelRoot,” because it is the very same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by George Hotz (Geohot). Successful exploitation of the Linux bug within the Android operating system would give the attacker administrative access to a victim’s phone. Specifically, such access could potentially allow that same attacker to run further malicious code, retrieve files and device data, bypass third-party or enterprise security applications including containers like Samsung’s secure Knox sub-operating system, and establish backdoors for future access on victim devices.
Jeff Forristal, the chief technology officer at the mobile security firm Bluebox Security, explained to Threatpost in an interview that the Linux futex vulnerability affects Android devices because those devices run on the Linux kernel, and once the bug became public, it was only a matter of time before someone developed an Android-specific exploit for it. George Hotz, a well-known figure in the jailbreaking and rooting scene, took that next step.
“This is pretty common practice/recipe in the Android rooting scene: they wait for a general-purpose Linux kernel vulnerability to surface, then they race to create an Android-specific exploit for it that can root the device,” Forristal said.
This vulnerability exists in Android version 4.4 and earlier, and is therefore present on nearly every commercial build, including the wildly popular Samsung Galaxy S5, according to research from Lacoon Mobile Security. Other vulnerable devices are said to include the Samsung Note 3, LG G Flex, the Motorola RAZR HD/M and Razr Maxx HD, and the Sony Xperia E1, C6603, C5303, Xperia T, Xperia z1, and Xperia SP among others.
“The vulnerability is currently codenamed TowelRoot after a rooting tool that was released on mobile forums that uses the vulnerability to root most of the popular mobile devices on the market,” writes Ohad Bobrov, Lacoon Security’s vice president of research and development. “This tool is being widely publicized and is easily available for use without the need for technical know-how.”
In an email interview, Michael Shaulov, the CEO of Lacoon, explained that in the case of secure Samsung Knox environments, the exploit would trigger protection and issue an alert to users, but that, ultimately, the attacker could still gain root access.
“Right now this vulnerability is only used by the rooting tool and has yet to show up in any malicious sample,” explains Bobrov. “Learning from the past, we can assume that it is only a matter of time until exploits for this vulnerability are distributed through other channels.”
In order to gain root access to a victim’s phone using this vulnerability, an attacker would need to craft an exploit and package it within a malicious application. Because of this, users that avoid third-party markets and avoid following shady links or clicking on suspicious attachments should be immune.
“The risk of this particular Linux kernel bug, as realized on an Android device, is that unprivileged generic Android apps with malicious intent can also exploit the same kernel vulnerability for other evil (non-root) reasons,” Forristal said. “This has absolutely nothing to do with TowelRoot or rooting in general — it’s just a callout that this time around it’s a very general-purpose security risk that is relevant regardless of the device owner’s rooting proclivities.”