How to defend against the latest Android kernel flaw

Experts say careful monitoring of app activity and hardware changes will protect against the flaw that affects nearly every popular Android device


Companies should be on the lookout for exploits of a troubling vulnerability in the Linux kernel that exists in nearly every popular mobile device running Android, experts say.

Cybercriminals are likely to target the flaw with malware soon, given the relative simplicity of developing an exploit. Their job has been made easier by the release this week of a rooting tool called TowelRoot.

[F-Secure says 99 percent of mobile malware targets Android, but don't worry too much]

George Hotz, a well-known hacker in security circles, developed the tool. Hotz uses the handle Geohot.

"This (TowelRoot) could be a good learning tool for hackers to expedite their own tools," Dean Weinert, product manager for ThreatMetrix, said.

The Linux community has released a patch for the vulnerability, officially listed as CVE-2014-3153. However, wireless carriers and device manufacturers are notoriously slow in releasing fixes, if they release them at all.

As a result, companies with employees using Android devices could be exposed to the threat for months, experts said Wednesday.

Like other vulnerabilities in an operating system's kernel, an exploit of the latest flaw could let a criminal take control of the device and open a backdoor for downloading additional malware.

What makes the vulnerability unique is that it's in Android 4.4 and earlier versions, which covers nearly every device already sold by manufacturers and carriers. Affected devices include the popular Samsung Galaxy S5.

Companies with liberal bring-your-own-device policies are more at risk than those that restrict employees to a few devices, which could be patched by IT staff.

Because the vulnerability is in the Linux kernel, cybercriminals can build exploits that can bypass antivirus software and other popular security mechanisms, such as containers that restrict the movement of corporate data from being transferred to another app.

"An attacker could carve out a place on a mobile device that is outside of the view of most Android security tools," Ryan Permeh, chief scientist at Cylance, said.

In addition, malware could be built quickly by extracting the innards of the exploit used in TowelRoot and then repackaging it in an app, Michael Shaulov, chief executive of mobile security company Lacoon, said.

Google scans for malicious code in apps provided through Google Play, so users of the official online store will be much safer than people who download apps from third-party outlets with fewer safeguards.

Restricting employees to approved app stores is one way to reduce the chances of downloading malware. "It's important to be careful about which applications are loaded," Permeh said.

Mobile security software that monitors hardware changes and application activity would be the most effective at catching malware aimed at the Linux vulnerability, experts say.

[Your no-fuss, fail-safe guide to protecting Android devices]

Devices that are infected should be reset to factory settings, after data, not the applications, are backed up. However, experts warn that depending on the malware, even a reset might not remove all malicious code.

"Recovery could be tricky, as once an attacker gains kernel level code access, they can do literally anything with the phone," Permeh said.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)