Google rushes out emergency fix for Android rooting exploit but most phones remain at risk

Google says 'no' to rooting apps in Google Play and issues an emergency patch for Nexus devices to fix a critical kernel bug.
Written by Liam Tung, Contributing Writer

Google has confirmed that a publicly available rooting app could compromise the Nexus 6.

Image: Google

Google is trying to stamp out rooting apps that exploit an unpatched Linux kernel bug affecting all Android devices.

Google can't patch the vast majority of Android devices but it has judged that a number of rooting apps are dangerous enough to warrant an unscheduled patch for its own Nexus products.

According to an advisory on Friday, the unnamed rooting apps, which are available in Google Play and outside its app store, could lead to a "local permanent device compromise". Repairing the device would require reflashing the operating system.

Google was planning to patch the issue in an upcoming scheduled monthly update but pushed it forward after researchers at security firm Zimperium reported last week that the bug had been abused on a Nexus 5. Google then confirmed that a publicly available rooting app could also compromise the Nexus 6.

The advisory "applies to all unpatched Android devices on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel version 3.18 or higher are not vulnerable," Google said.

The company has also updated the Android Verify Apps security feature to detect the rooting apps. Google hasn't said whether it has removed the rooting apps from Google Play but notes that such apps do violate Google Play's terms.

Google notes that it has not seen the rooting apps being used for exploitation that it considered "malicious". For a device to be compromised, the user would need to install the rooting app manually.

Google supplied a patch to Android handset makers on March 16 and the issue will be resolved for non-Nexus devices when Android OEMs release updates that bring the version of Android up to security patch level of April 2, 2016.

Google has also released fixes for vulnerable kernels in the Android Open Source Project.

The Linux kernel bug itself was first fixed in April 2014 but, as Google notes, it wasn't known until February 2015 that the bug was also a security issue.

Researchers at c0reteam in February notified Google that the bug could also be exploited on Android, prompting Google to develop a patch that was probably originally slated for the April monthly update.

More on Android

Editorial standards