Google releases interim kernel patch for critical Android vulnerability
Google released an interim security update for its Android operating system on Friday to fix a vulnerability. The company has not waited for the monthly patch round because the vulnerability has been labeled “critical” by the company.
The vulnerability is given the name CVE-2015-1805. Devices with Linux kernel versions 3.4, 3.10 and 3.14 are vulnerable. Version 3.18 and newer of the kernel are already out of reach. Although this vulnerability has been known to Google for some time, the company recently received evidence from security company Zimperium that the vulnerability is also quite easy to exploit. With the exploit, a malicious application can obtain permanently elevated privileges, i.e. root access. That could only be solved by flashing the operating system again. Google does state that it has not observed that the exploit is actually used in the wild.
However, the wait is not necessarily for the various manufacturers to release the kernel update for their devices. Google itself has updated the Play Store malware scanner to filter out apps that exploit the vulnerability. In addition, Android’s Verify Apps feature has been updated. It detects the apps in question when they are installed outside the Play Store. In this case, the risk already seems considerably smaller. Nexus devices will get an update in a few days, Google promises. Aosp patches are available immediately for manufacturers of non-Nexus devices.