Bug in Linux kernel reportedly leaves 66% of Android devices vulnerable; Google responds

Bug in Linux kernel reportedly leaves 66% of Android devices vulnerable; Google responds
A new zero-day vulnerability has been found in the Linux kernel used by Android. The discovery, made by the Perception Point Research team, reveals a flaw that has been around since 2012, and could affect as many as 66% of current Android phones and tablets. The good news is that the security researchers have not found that any attempts have been made to exploit the vulnerability. Still, the research team says that the flaw needs to patched immediately.

According to a second report published today, this particular flaw can actually allow a malicious app to "breakout" of a secure sandbox and take control of some Android functions. The report added that the flaw could cause certain apps to take over the camera, microphone, GPS location and personal data. The flaw was reportedly introduced to Linux kernel 3.8 in early 2013.

Google responded this afternoon by saying that its own researchers do not believe that Android devices are vulnerable to exploits by third party apps. The company added that the number of Android devices that are at risk is "significantly smaller than initially reported." Despite Google's unworried response to the initial report, it still plans to issue a patch in March.

source: PerceptionPoint via ArsTechnica

FEATURED VIDEO

31 Comments

1. Nathillien unregistered

yawn!

21. XperiaFanZone

Posts: 2277; Member since: Sep 21, 2012

The silence of the Linux fanboys is deafening

26. spin9

Posts: 310; Member since: May 31, 2014

What has NSA to say about that bug?

2. Clars123

Posts: 1071; Member since: Mar 16, 2015

that's right...keep discovering vulnerabilities so Google can patch them..at the end of the day these "research teams" are only helping Android become more secure.

13. cdm283813

Posts: 424; Member since: Jan 10, 2015

To bad Samsung update policy is crap.

22. RoboticEngi

Posts: 1249; Member since: Dec 03, 2014

I'm on the December security update on my Samsung phone. They are doing fine.....go troll some where else.

20. greyarea

Posts: 267; Member since: Aug 14, 2015

The way you wrote this makes it sound like making things more secure isn't the end goal of the research team. Am I just reading it wrong?

24. strudelz100

Posts: 646; Member since: Aug 20, 2014

Too bad Google didn't build in Security Updates into Android. Instead they depend on OEM's who have zero incentive. The vast majority of handsets world wide still are vulnerable to Stagefright....TODAY because of absent update policy.

3. theguy2345

Posts: 1216; Member since: Jun 24, 2014

The fact that Google just shrugged it off is kinda scary of you ask me. Shouldn't they try to make it as secure as possible, not shrug off these kind of things.

11. NexusKoolaid

Posts: 493; Member since: Oct 24, 2011

You need to do a little more research before jumping to conclusions like that. http://www.androidcentral.com/kernel-vulnerability-exposed-researchers

18. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

Thanks for the link. Google Android's CONFIG_KEYS variable are defaulted to OFF which would not create the flaw in the first place. Unless OEM or Custom ROM developer change the default setting and recompile the android kernel to change that default setting, Android is not affected. So all Nexus devices are not affected, and I would agree with Google that not many would play with kernel default setting and recompile it for their phone. Because its bring zero benefit and a hordes of compatibility issues. Another example of PA one sided reporting.

25. strudelz100

Posts: 646; Member since: Aug 20, 2014

Google is in the business of MAKING MONEY. Critical bugs threaten profits. Critical bugs are thus hidden when they are not easily defeated. It's extremely simple....when folks stop and realize that Google doesn't produce Android for charity. These guys are every bit as bad as any other corporate entity and dodge billions in taxes just like the Government allows from any other mega-company.

4. steelew

Posts: 219; Member since: Jun 04, 2012

I guess we can assume they will be scanning for apps that try to use this (if that's possible) going forward? Hopefully?

5. darkkjedii

Posts: 30483; Member since: Feb 05, 2011

Someone will leave a 5,000 word rant about this.

6. theo14461 unregistered

Welcome to the wonderful world of Android.

7. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

I read about this on another site. It's not only Android, anything running Linux or a derivative of it is vulnerable.

8. Napalm_3nema

Posts: 2236; Member since: Jun 14, 2013

Yeah, it's kernel level, but their numbers in this article are not correct. It's hard to tell what is vulnerable, since OEMs don't always update the kernel to the same version on the same version of Android. There are Marshmallow builds with 3.1X and 3.4 in the wild.

9. Kary1

Posts: 300; Member since: Jun 26, 2015

That's what caught my eye--that it's a Linux issue, an OS type people usually view as secure.

10. Mxyzptlk unregistered

That doesn't really change much given how large the android user base is.

16. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

First it depends on which kernel they're using as Napalm said. Second, the point was the issue isn't isolated to Android as Theo implied.

12. NexusKoolaid

Posts: 493; Member since: Oct 24, 2011

23. RoboticEngi

Posts: 1249; Member since: Dec 03, 2014

Shhh don't break the sheep's soft pink illusions about apples unbreakable security..........

14. AkoSiKuting

Posts: 88; Member since: Dec 09, 2015

Android exist because some users just can't afford to pay vulnerability

27. greyarea

Posts: 267; Member since: Aug 14, 2015

Does not translate

28. Dattack

Posts: 61; Member since: Jan 09, 2013

Ah, you are one of "all mighty iOS users"? I guess, it's better to say you are one of the brainwashed dips**ts.

30. tedkord

Posts: 16974; Member since: Jun 17, 2009

Some people need to pay for English lessons.

15. Synack

Posts: 688; Member since: Jul 05, 2011

Real question is, can this be used to obtain root on newer devices that are locked down pretty tight? Wondering if this could help root the future Galaxy S7 and G5, etc.

17. Napalm_3nema

Posts: 2236; Member since: Jun 14, 2013

If they are running the correct kernel, and the SELinux kernel module is not enabled, then yes, it's possible. As I understand it, it has to be local access, and as I said above, the same version of Android on different devices can be running different kernels. This is a concern, from a vulnerability standpoint, but I think it is a bit overblown. This is a lot more dangerous to things like servers and routers running Linux than it is for Android devices.

29. RebelwithoutaClue

Posts: 5465; Member since: Apr 05, 2013

Most Android 5.0 phones (if not all) have the SELinux option on, so the bug doesnt work. Most Android phones have the CONFIG_KEYS variable off,so the bug doesnt work. Most Android phones with a version under 5.0 have an older Linux kernel, so the bug doesnt work. All in all it's a tempest in a teacup. Also if you stick to the Play store, you're safe

19. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

For such bugs whether it's iOS or Android which are both NIX based operating systems, other than people paid to find holes, I don't see how this is news or why we should care. I don't know of anyone with a mobile device that has ever been exploited in the wild. Why should we worry? If you download of from verified trusted developers, something like this is never going to be an issue whether your device is rooted or not otherwise jailbroken or not.

Latest Stories