Information about a new vulnerability used to gain device root access to install files on the Android device file system, an area that can be accessed only with system or root permissions, was published yesterday by Chinese antivirus company 360. The vulnerability uses two known Android 4.x Privilege Escalation (PE) exploits, FramaRoot and TowelRoot, to run code under root privileges and to install a root toolkit on the device, allowing an attacker to hide the code and avoid attempts to remove the malicious apps.
This represents a serious escalation in Android malware, and is the first time we’ve seen reports of malware that uses Android 4.x PE exploit vulnerabilities to run code on an infected device. Once on the device, the malicious code collects sensitive data like unique identifiers, device versions, and network connectivity data. It also installs additional apps like a flashlight and calendar without any user consent, and uses aggressive tactics to keep them installed. Even if removed with root privileges, these apps are reinstalled automatically.
Using these two exploits together also guarantees a high rate of infection. The Towelroot exploit is based on the futex vulnerability (CVE-2014-3153), a Linux vulnerability most Android devices prior to Android Lollipop are exposed to. And Framaroot is a rooting tool based on several exploits for most Samsung, LG, Huawei, Asus, and ZTE devices and more. Collectively, that’s a large percentage of in-market Android devices which, if used for work, could expose the enterprise to risk.
Its aggressive nature and ability to run code on infected devices make this malware very troubling, especially for enterprises trying to secure sensitive data on employee-owned devices. Users who even notice that something is awry might mistake simply deleting the suspicious apps as a fix, but the malware goes to great lengths to preserve itself. Undetected, it could steal both personal and enterprise information from the user’s device.