It seems Lenovo is now warning owners of its Vibe series of smartphones, that a vulnerability has been found which could be affecting their smartphone. To be clear, while this seems to be a Vibe-specific issue at the moment, it is one which is more related to the Android version running on the device, than the device itself. As Lenovo has confirmed that Vibe smartphones that are running Android 6.0 (Marshmallow) or newer already contain a fix for the issue. Therefore, only Vibe phones that are running Android 5.0 (Lollipop) or older are susceptible to the vulnerability.
The issue itself is that the vulnerability has the potential to allow the awarding of root privileges to a device. As has been commonly noted with such privilege escalation, when root access is achieved, the device can then become somewhat compromised and can fall foul to a number of different attacks, or issues. However, even those affected devices are only likely to be at risk if the owner does not make use of a secure locking system, like for example – a PIN or password. For those who do fall into this category, then Lenovo advises that owners should either enable a lock screen authentication measure, or ensure that ADB is not enabled when not being directly used by the owner. While of course, providing a general warning that users should avoid rooting their device to begin with, due to the increased chance of security and stability issues arising.
This issue seemed to have first come to light through FireEye’s Mandiant Red Team back in May, 2016. Then, the security team identified the issue as present on the Lenovo Vibe P1. A similar recent announcement from FireEye further explains the nature of the issue, as well as noting how Lenovo was informed of the issue at the time (May, 2016). Lenovo has provided a list of devices that are known to be immune to the issue, as well as a list of those that might be susceptible. Both lists, as well as a more detailed description of the issue and how to mitigate against it, are available through the link below.