Some Nexus devices already received their March 2016 Android security update earlier this month. It turns out, however, that Google will release another March 2016 security update for Android. This is needed to plug a critical flaw in the Linux kernel that can be exploited to root the device.
Google did already know about the flaw previously, and it was originally scheduled to be patched in the April 2016 security update. The situation changed when Zimperium demonstrated an exploit on this flaw, and an application was found in the wild that uses this exploit to exploit Nexus 5 and Nexus 6 devices. Google did not name the rooting application.
This kernel flaw involves a local elevation of privileges vulnerability in the Linux kernel of some Android devices. Android devices using Linux kernel version 3.18 or higher are not affected by this flaw. Nexus devices don’t use a new enough Linux kernel, unfortunately, and hence are affected. Read Google’s Android Security Advisory 2016-03-18 for moe details.
This flaw is serious, but its real world threats are mitigated by several factors.
- The Google Play store does not allow rooting applications.
- Android’s Verify Apps feature blocks the installation of applications from both within and outside of the Google Play store that Google has learnt are attempting to exploit this vulnerability.
Of course, all these does depend on Google knowing about exploit apps. The best and most effective solution is to have the vulnerability fixed. If not for a supported Nexus device, it does mean you probably need to have a reasonably modern Android device, one that runs a newer Linux kernel, version 3.18 and upward, such as the new Samsung Galaxy S7.