Android phones menaced by Linux kernel bug

Google has rushed out an emergency patch for its Nexus devices following the discovery of an overlooked Linux kernel bug that can be used to permanently compromise Android devices.

In an advisory issued over the weekend, Google revealed it had been alerted to at least one unidentified rooting app available in Google Play and third-party marketplaces using a local elevation of privilege vulnerability in the Linux kernel of Android devices.

Android users install rooting applications to gain greater access, or near-administrator privileges, to their phone's capabilities than are normally allowed.

The Linux kernel flaw could allow an attacker to gain root access to Android devices by using a malicious application to execute arbitrary code in the kernel, Google said.

"This issue is rated as a critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system," Google warned.

It said while it already blocked the installation of rooting apps that use the bug through its Verify Apps software, it has issued a patch to its Android original equipment manufacturer (OEM) partners to provide a "final layer of defense".

The vulnerability exists in all Android devices that use Linux kernel versions 3.4, 3.10, and 3.14, which includes Google's own Nexus line of smartphones.

While the bug was fixed in April 2014, Google said it wasn't aware the vulnerability was a security issue until last month, when Core Team researchers notified the company the bug could be exploited on Android.

Google said it was last week informed by infosec firm Zimperium that the vulnerability had been abused on a Nexus 5 smartphone. Later, the company confirmed its Nexus 6 phones were also affected.