14 DAY TRIAL // Google has released an out-of-band security patch to address an issue in the Android mobile operating system that was being exploited in real life for rooting Nexus 5 and Nexus 6 devices.
As the Google team explains, the issue is a bug discovered and fixed in the Linux kernel in April 2014. The Linux project didn't considered this a security risk until February 2015, when the bug also received a CVE identifier: CVE-2015-1805.
Since Android was built on top of a stripped-down Linux kernel, Google also took a look at the bug, but concluded that the issue wasn't a threat to its mobile OS, at least until February 19, 2016, when security researchers from the C0RE Team informed the company that CVE-2015-1805 could be exploited on Android devices.
Google engineers then moved to create a patch, which they prepared for their next Nexus Security Bulletin, scheduled for the start of April.
CVE-2015-1805 used to root Nexus 5 and Nexus 6 devices
On March 15, security researchers from Zimperium, the same company that discovered the Stagefright bugs, informed Google that they had spotted an app in the wild exploiting CVE-2015-1805 to root Android devices.
The following day, Google alerted OEM partners about the issue, and on March 18, it released a public security advisory about the bug, saying that new versions of the Android OS would be released in the following days.
The company says that all Android devices running on top of the Linux kernel versions 3.4, 3.10 and 3.14 are vulnerable. Only devices using the Linux kernel version 3.18 and higher are safe.
Currently, Google's Play store defensive measures detect any applications trying to exploit this issue to root Android devices.
The company's Verify Apps feature included in the Android OS also alerts users of the potential security risk when installing apps from non-verified sources. Unless users have turned off this feature and are installing apps from third-party stores on purpose, most of them should be safe.