How to defend against the latest Android kernel flaw

Companies should be on the lookout for exploits of a troubling vulnerability in the Linux kernel that exists in nearly every popular mobile device running Android, experts say.

Cybercriminals are likely to target the flaw with malware soon, given the relative simplicity of developing an exploit. Their job has been made easier by the release this week of a rooting tool called TowelRoot.

[F-Secure says 99 percent of mobile malware targets Android, but don't worry too much]

George Hotz, a well-known hacker in security circles, developed the tool. Hotz uses the handle Geohot.

"This (TowelRoot) could be a good learning tool for hackers to expedite their own tools," Dean Weinert, product manager for ThreatMetrix, said.

The Linux community has released a patch for the vulnerability, officially listed as CVE-2014-3153. However, wireless carriers and device manufacturers are notoriously slow in releasing fixes, if they release them at all.

As a result, companies with employees using Android devices could be exposed to the threat for months, experts said Wednesday.

Like other vulnerabilities in an operating system's kernel, an exploit of the latest flaw could let a criminal take control of the device and open a backdoor for downloading additional malware.

What makes the vulnerability unique is that it's in Android 4.4 and earlier versions, which covers nearly every device already sold by manufacturers and carriers. Affected devices include the popular Samsung Galaxy S5.

Companies with liberal bring-your-own-device policies are more at risk than those that restrict employees to a few devices, which could be patched by IT staff.

Because the vulnerability is in the Linux kernel, cybercriminals can build exploits that can bypass antivirus software and other popular security mechanisms, such as containers that restrict the movement of corporate data from being transferred to another app.

"An attacker could carve out a place on a mobile device that is outside of the view of most Android security tools," Ryan Permeh, chief scientist at Cylance, said.

In addition, malware could be built quickly by extracting the innards of the exploit used in TowelRoot and then repackaging it in an app, Michael Shaulov, chief executive of mobile security company Lacoon, said.

Google scans for malicious code in apps provided through Google Play, so users of the official online store will be much safer than people who download apps from third-party outlets with fewer safeguards.

Restricting employees to approved app stores is one way to reduce the chances of downloading malware. "It's important to be careful about which applications are loaded," Permeh said.

Mobile security software that monitors hardware changes and application activity would be the most effective at catching malware aimed at the Linux vulnerability, experts say.

[Your no-fuss, fail-safe guide to protecting Android devices]

Devices that are infected should be reset to factory settings, after data, not the applications, are backed up. However, experts warn that depending on the malware, even a reset might not remove all malicious code.

"Recovery could be tricky, as once an attacker gains kernel level code access, they can do literally anything with the phone," Permeh said.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile security for androidmobile app securityapplicationsmobile phone vulnerabilitiesf-securesoftwaremobile security threatsdata protectionmobile application securitymobile phone threatsmobile malwaresecuritymobile security

More about F-SecureGalaxyGoogleLinuxSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place