Linux Bug ‘Lets Attackers Target Billions Of Android Devices’

Matthew Broersma,

About 80 percent of all Android gadgets are vulnerable, say experts

About 80 percent of Android mobile devices are affected by a Linux flaw that could allow attackers to intercept communications and obtain sensitive information, researchers said.

The bug, disclosed last week at the Usenix security conference in Austin, Texas, affects about 1.4 billion devices, according to mobile security researchers Lookout.

Hacker (c) thailerderden10, Shutterstock 2014Communications flaw

The bug, which affects the Transmission Control Protocol (TCP), was discovered in version 3.6 of the Linux kernel, released in 2012, and Lookout found that it is present in Android 4.4 (“KitKat”) and all later versions, including the latest developer preview of Android Nougat.

“The issue should be concerning to Android users as attackers are able to execute this spying without traditional ‘man-in-the-middle’ attacks,” Lookout said in an advisory. “CISOs should be aware that this new vulnerability affects their Linux environments and Linux-based server connections (e.g. to popular websites) in addition to Android devices.”

While the bug is difficult to exploit – meaning it presents only a “moderate” risk – it could be used in targeted attacks to intercept sensitive information that hasn’t been encrypted, Lookout said.

“Targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files,” Lookout stated.

Attackers could inject malicious code into unencrypted traffic, for instance sending a user a script that would present a false login window in order to obtain security credentials, researchers said.

Patching issues

While most Linux systems can be patched using routine procedures, the bug presents more of a risk for Android devices, which in many cases have sluggish or nonexistent patching processes.

While awaiting Android patches, Lookout said organisations can mitigate the bug’s risk by encrypting their communications or, on rooted devices, executing a command via the sysctl tool that makes the bug more difficult to exploit.

Lookout said it expects Google to release an Android patch in its next monthly update, and Google confirmed in a statement that it is aware of the issue and is “taking the appropriate actions”.

The bug, designated CVE-2016-5696, was disclosed last week by researchers from the University of California, Riverside and the US Army Research Laboratory, and a patch was released last month.

Are you a security pro? Try our quiz!