Millions of Android smartphones and tablets are vulnerable to security attacks, Google has warned. The vulnerability, if exploited, gives an app unfettered root access, circumventing various Android security layers. The Mountain View-based company has made available a patch to OEMs, and says it is currently working on a fix for the Nexus lineup.
Security researchers spotted an app in the Google Play, Android's marquee app store, which tries to leverage the vulnerability. Android inherited the flaw from Linux years ago. Interestingly, Linux developers fixed the bug in 2014, and it was later on flagged as a vulnerability - identified as CVE-2015-1805 - early last year.
The vulnerability is present in all Android releases that are based on Linux kernel version 3.4, or 3.10, or 3.14. Android versions based on Linux kernel 3.18 or higher aren't affected, Google assures. Most Android 6.0 Marshmallow-based devices run on kinux Kernel v3.18, however, different OEMs often use different Linux kernel versions - thus, it is hard to correlate Android version with kernel version.
Google acknowledged the existence of the vulnerability in an advisory it sent last week. "An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system," the note reads.
Google didn't disclose the name of the app, though it noted that the offending app was available from Google Play as well as third-party sources, and Nexus 6 and Nexus 5 smartphones were affected. It also noted that it has published the patches for the flaw with OEMs, and also published them to the Android Open Source Project. It is up to manufacturers now how long they take before pushing the updates to their respective devices.