Follow Up on “TowelRoot” Vulnerability

Following our latest blog post on “TowelRoot”, the rooting tool which exploits CVE-2014-3153 to root Android devices, we received quite a few questions. Due to readers’ concerns we thought it would benefit the security community to publish some of the more pertinent questions.

If you have any more follow-up questions, feel free to send them to [email protected] We’ll continue to update this page as inquiries continue to roll in.

Q: From a technical standpoint, what is the security implication of TowelRoot?
A: Once an attacker runs TowelRoot on the device, all the built-in security mechanism developed by Google, including SEAndroid, are defeated and the attacker can gain administrative privileges on the device.

Q: Which Android versions are vulnerable to the vulnerability behind TowelRoot?
A: The vulnerability affects devices based on Android 4.4.X, as well as earlier Android versions (including Jelly Bean). Particularly, vulnerable devices include:

  • Samsung: Galaxy S5 (International, Verizon and AT&T variants), Note 3 (International, Verizon and AT&T variants)
  • LG: G Flex
  • Motorola: RAZR HD/M, RAZR Maxx HD
  • Sony: Sony Xperia E1, C6603, C5303, Xperia T, Xperia z1, Xperia SP

Q: Since this vulnerability could bypass containers, does that mean that a successful exploit could potentially work-around Samsung Knox?
A: Yes, since rooting a device can ultimately lead to the removal of all of the device’s built-in security mechanisms.

Q: Is the TowelRoot rooting tool dangerous?
A: Currently, TowelRoot on its own is not malicious. However, it’s important to keep in mind that TowelRoot enables users, and malicious parties, to root the mobile device – exposing the targeted device and its corresponding data to additional attacks.

Q: How can an attacker exploit the vulnerability behind TowelRoot, i.e. CVE-2014-3153, to compromise Android devices?
A: An attacker can package the exploit within any Android app and distribute that app. When the user opens the particular app then the exploit will run, providing the attacker with root access on the device.

Q: From start to finish, what would the attack involve?
A: A likely attack scenario would follow these steps:

  1. The attacker extracts the exploit code from TowelRoot, the aforementioned rooting tool, and embeds it within a legitimate app, like Angry Birds. It’s important to understand that this stage does not require much technical expertise – there are freely available open source tools that perform exactly these types of activities.


  1. The attacker adds malicious code to their version of the re-packaged app. The malicious code can be, say, a rootkit or surveillance software. The malicious code is programmed to execute after the exploit has been run on the victim’s device and rooted it.


  1. The attacker publishes the “updated” version of the app through an App Store or delivering it via email or the Web (aka drive-by-download) for an unwitting user to install.

Q: What should people expect to see in terms of this vulnerability being used as an attack vector?
A: Similar vulnerabilities that enable rooting have already been exploited in the past. Based on past experience, we can expect to see the cyber-entities exploiting this vulnerability – especially as a rooting tool already exists.

Q: Is Google going to address the vulnerability?
A: Yes. However, it will take a lot of time until it will be delivered as a patch to the devices. The reason is that these patches are also held up by the patch cycles of the handset manufacturers as well as the delivery cycles of the mobile operators.

Q: Does Lacoon help protect against this vulnerability?
A: Yes. As part of its on-device analysis, Lacoon can detect rooting attempts against Android devices. Also, our Cloud-based app analysis service can detect apps that include an exploit to a rooting vulnerability.