Security flaw affects numerous devices and could be used for malicious purposes

Jun 18, 2014 08:36 GMT  ·  By

Geohot's newly released app for rooting Android devices, Towelroot, leverages a Linux vulnerability in the futex subsystem.

Identified as CVE-2014-3153, the security flaw affects the Linux kernel through 3.14.5 and allows administrator privilege through a FUTEX_REQUEUE command.

Linux has been patched against this issue, but vulnerable versions are powering many Android devices on the market, and it is present on Android 4.4 (KitKat).

Different Android devices have a different kernel, but some key components remain the same, such as the affected futex subsystem. This is the reason why Geohot's Towelroot gained so much popularity, as it can be easily applied on multiple devices.

According to Ohad Bobrov, VP R&D at Lacoon Security firm, exploiting this vulnerability allows an attacker to execute malicious code with administrator privileges and gain access to sensitive information.

Moreover, the weakness could be exploited to insert “a persistent backdoor on the device to be later used for further attack activities,” the Lacoon Security representative said in a post on the company’s blog.

The purpose of imposing limited privileges is twofold: first, novice users cannot make modifications to system files, which could lead to rendering the device unusable.

The second reason is to restrict software installed by the user from accessing sensitive areas of the system. This way, the risk of an untrusted app to log user location or access data captured by the built-in camera is mitigated.

Towelroot can be applied to a myriad of devices, including Galaxy S5, Nexus 5, Galaxy S4 Active, G Flex from LG, Motorola RAZR HD/M/Razr Maxx HD, Sony Xperia E1, C6603, C5303, Xperia T, Xperia z1, Xperia SP, and it is available as an Android app (APK), which makes rooting an automated process.

Geohot, George Hotz by his real name, is also known for having unlocked Apple iOS devices in 2007, as well as for hacking Sony’s PS3 console towards the end of 2009, which landed him a job at Facebook, but at the moment, he no longer works with them.

Bobrov says that the vulnerability is currently used only by this rooting tool “and has yet to show up in any malicious sample. Learning from the past, we can assume that it is only a matter of time until exploits for this vulnerability are distributed through other channels.”

In order to protect sensitive information, users are advised to refrain from rooting their Android devices, install applications from reputable stores such as Google Play and avoid opening unknown or suspicious links sent to the device.