Security researcher publishes proof-of-concept code for recent Android zero-day

Qu1ckR00t app can root an Android device using the CVE-2019-2215 zero-day.

Qu1ckR00t

Image: Grant Hernandez

A US security researcher has published proof-of-concept code on GitHub for a recently disclosed Android zero-day.

The zero-day was discovered at the start of this month by Google Project Zero security researchers. At the time, Google said the zero-day was being actively exploited in the wild.

When it disclosed the zero-day (tracked as CVE-2019-2215), Google security researcher Maddie Stone also published proof-of-concept (PoC) code, but her code only granted read/write access to the kernel.

To weaponize her PoC, an attacker would still need to find a way to bypass the many other security protections available at the Android kernel level.

But in a blog post published yesterday, Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, published a PoC that does just this.

Named Qu1ckR00t, the PoC can bypass DAC (Discretionary Access Control) and Linux Capabilities (CAP), and can disable SELinux (Security-Enhanced Linux), SECCOMP (Secure Computing Mode), and MAC (Mandatory Access Control).

The end result is a more intrusive PoC that can be used to root an Android device, giving a user/attacker full control of the device.

The code has been released on GitHub in its source code form, and not as an already-packaged APK file (the format of an Android app). Users will have to compile it themselves, but when compiled, they will have access to an app that can root an Android smartphone with one click.

Hernandez said he only tested Qu1ckR00t with Pixel 2 handsets, and warns non-experienced users from playing with the code, as they risk bricking their OS and losing data.

The downside to releasing a tool like Qu1ckR00t is that malware authors can now study the code too. This improved PoC can be embedded inside malicious apps to allow Android spyware, trojans, or ransomware to get root access to the devices they infect.

Patches available

To avoid any issues, users are advised to install necessary patches. Google has patched CVE-2019-2215 in the Android October 2019 security bulletin (security patch level 2019-10-06).

Google said the CVE-2019-2215 zero-day impacted smartphone models from different vendors, such as:

  • Pixel 2 with Android 9 and Android 10 preview
  • Huawei P20
  • Xiaomi Redmi 5A
  • Xiaomi Redmi Note 5
  • Xiaomi A1
  • Oppo A3
  • Moto Z3
  • Oreo LG phones
  • Samsung S7, S8, S9

Only devices running Android 8.x and later are vulnerable.