TowelRoot Android rooting tool presages malware exploits against kernel flaw, suggests security vendor

"Make it ra1n"

Is the Towelroot tool a simple way for Android smartphone users to gain root access on their devices or an inadvertent proof-of-concept that shows the way to cybercriminals?

TowelRoot was released only days ago by noted white hat George Hotz (aka 'GeoHot'), who made his name jailbreaking the supposedly inpregnable iPhone, iPad and Sony PS3, gaining him wide recognition. Using the software makes it trivial for the owner of a wide range of Android handsets running 4.4 KitKat to root their device, over-riding all security and gaining complete control.

Hotz's target this time appears to have been the Samsung S5, which had an $18,000 (£10,500) bounty sitting on its head for anyone capable of gaining root access.

Normally that would be that but the complicating factor is that the tool gains this access by exploiting the recent Linux kernel bug, CVE-2014-3153, published by another well-known Pwnium white hat, Pinkie Pie, on 5 June.

Although it was not Hotz's intention, some now see TowelRoot as a handy proof-of-concept for cybercriminals looking for a way of packaging the exploit into malicious apps.

"Right now this vulnerability is only used by the rooting tool and has yet to show up in any malicious sample. Learning from the past, we can assume that it is only a matter of time until exploits for this vulnerability are distributed through other channels," said Lacoon Security vice president of R&D, Ohad Bobrov in a blog.

In addition to the Samsung S5 (running on Verizon and AT&T), affected devices include the Motorola Razr HD and Razr MAXX HD, LG's G Flex, and a clutch of Sony Experia models. In principle other devices are probably affected.

The flaw poses a risk to Linux users too but was at least rapidly patched; Android poses a much greater problem because it requires device vendors and mobile networks to implement a fix. This will take time and might in some cases never happen at all.

It is a certainty that Google Nexus device users will get a patch as part of a future update to Android 4.4.3 in the near future.

If cybercriminals do take the hint, malware will turn up on third-party app sites. TowelRoot's appearance suggests Android handset makers need to up their game when it comes to fixing flaws.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile &ampPersonal TechNetworkingsecuritywirelesssony

More about GoogleLGLinuxMotorolaSamsungSonyVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place