(CVE-2014-7911) Privilege Escalation Exploit for Android

Researchers on Tuesday released details of a vulnerability in Google’s Android operating system versions prior to Android 5.0 (a.k.a Lollipop). This Privilege Escalation vulnerability enables an attacker to acquire administrator level permissions and access. When exploited, it leaves Android devices exposed by failing to properly and securely serialize data, allowing an app to bypass restrictions, and an attacker to run code under system privileges.

(For more technical information, visit the Android Git repositories.)

Who’s at risk?

Although Lollipop is immune, it’s only available today for newer smartphones and tablets — mainly newer Nexus devices — leaving most of Android’s one billion users at risk. The newest versions of Android, along with their security fixes, aren’t available to all devices on day one, and some older devices aren’t compatible at all.

Of those devices for which an update is available, not all users will install it. In fact, only 30% of Android users have adopted Android 4.4 Kitkat. Making matters worse, some devices rely on carriers or manufacturers to provide a customized Android updates — something than can take months.

This fragmentation of in-market Android devices is an urgent concern for end users and enterprises alike because, without proper device security in place, these devices can become easy targets for cybercriminals.

What is the method of attack?

There are several different ways this vulnerability can be used to infect a device. An attacker could:

  • trick the user into infecting a device by sending link in an email or text message that, when tapped, installs a malicious app.
  • use a web-based attack that leverages a public vulnerability in another existing application, such as in the stock Android web-browser (CVE-2013-6632)
  • with physical access to the victim’s device, infect it by connecting it to the attacker’s computer.

What are the consequences of a successful attack?

Once attackers have successfully implemented this vulnerability, they can essentially seize full control of a device. They can bypass Android’s permission model and perform a range of actions:

  • Run malicious code under system (administrator) privileges.
  • Access private and sensitive files, user data and device information (regardless of encryption).
  • Access enterprise data, even within secure enterprise apps and containers.
  • Access banking and financial information via dedicated apps.
  • Install a persistent backdoor on the device, enabling future access that doesn’t rely on the current vulnerability.

How can enterprises minimize exposure?

Check what versions of Android are running on the devices you support. If it’s below 5.0, the device may be vulnerable. For customers using the Lacoon Mobile Threat Management Platform, the platform will detect this, and identify devices at risk.

Here’s some additional best practice advice:

  • Incremental updates and upgrades to the latest versions of Android should be installed as soon as they’re available. This ensures the latest security fixes are always installed.
  • Users should be instructed to install applications only from reputable sources like the Google Play store or from secure internal enterprise sites.
  • Users should be reminded never to open suspicious/unknown links sent to their device.