For many Android users, one of the clear benefits of ‘rooting’ a device is that they can gain access to a deeper level of the operating system. Root access which essentially allows them greater control of the system, or allows the root-required apps they would like to install, the control needed to fulfill their functions. However, the downside of rooting is that changes made at the root level also have the ability to cause damage, sometimes irreparable damage or worse still, give certain apps abilities you might not want them to have.
Last Friday, Google sent out an Android Security Advisory notice that a flaw in Android can result in applications gaining root access to devices. Needless to say, the result being the flaw is able to take control of devices and at the extreme, could result in “local permanent device compromise“. To be clear, this is not a new issue as the existence of the basis for this flaw dates back almost two years when it was first picked up. However, it seems more recently an app which had made its way onto the Google Play Store is one which has now been noted being able to take advantage of the vulnerability. Although, the security statement does make it clear this does not seem to be the purpose of the app, but instead an unfortunate byproduct.
Either way, the advisory notice was posted to firstly warn (not scare) Android device owners of the current situation and further advise on what is happening to remedy the situation. The post dated March 18th states that a fix for this flaw had already been scheduled as part of an upcoming monthly update. However, the recently noted app access has now escalated the issue to one which the Android security team deems as “critically severe” and as such a new security update is in the process of being put together for Nexus devices and will be rolling out imminently. The patch has also been passed to partner manufacturers so that they can look to apply it to their respective devices in due course. Of course, this does mean that if you are running a device which has yet to receive an update later than March 18th, your device is technically still prone to the vulnerability. Likewise, if you have received an update since March 18th, this does not necessarily mean that it is the fix included and in fact, it likely does not as partner manufacturer updates will take some time to begin rolling out. Those interested in reading more about the current situation with the CVE-2015-1805 flaw, can do so by heading through the source link below.