A two-year-old security flaw could give hijackers root access to your Android phone

Google Marshmallow
Google warns that hijackers could get root access to your Android phone from an application using a security flaw that was first discovered two years ago.


The flaw is part of the Linux Kernel, which is what Android is built on. It was actually fixed in April 2014, but it wasn’t flagged as a vulnerability at the time. Later in February 2015, the security implications were discovered, and it subsequently received the CVE-2015-1805 identifier. Even so, it wasn’t an issue for Android devices since it wasn’t ported to the Android software.

However, last month the CoRE Team found that this vulnerability could be exploited by hackers to achieve root on Android devices. A hacker with root access to your device would acquire superuser access, which is more control than even you or other third-party apps have. They would be able to access and modify all system files.

CoRE notified Google of the exploit and the company started working on a patch that would be included in a future security update. Unfortunately Google couldn’t work fast enough, as Zimperium, the security team who uncovered the Stagefright hack, told Google the exploit was already in use on a Nexus 5 phone.

This was done through an application in the Play Store that has already been blocked. Google actively blocks apps that attempt to achieve root access, but it’s unclear how long the app was in the wild. Google said in a security advisory, “Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges.”

Google classified this issue with a Critical severity rating, but the application in question wasn’t considered malicious. However, the Critical severity rating means that other hackers could use the same exploit to spread malware.

A patch is on the way

Google already published patches for the flaw in the Android Open Source Project (AOSP) for the 3.4, 3.10 and 3.14 versions of the Android kernel. Version 3.18 and above aren’t vulnerable.

These patches will be included in the April security update for Nexus devices. That’s the good news. The bad news is that Nexus devices only represent a handful of Android devices. It’s up to the manufacturers to issue patches for all the other Android devices around the world.

How to protect yourself

We know that exploits such as these can be scary, but you’re unlikely to fall victim to it if you make sure to download apps only from Google Play since Google will block any apps that use the exploit.

If you must install an app from a third party, make sure Verify Apps is turned on. To do this, open Settings, and find Google. Tap on it, followed by Security. Scroll down to the Verify Apps section and make sure that Scan device for security threats is turned on. Now any third-party apps that you install will be scanned for threats. Verify Apps is a good thing to turn on because it will protect you from all other exploits, not just this one.

If you want to find out if your device has received the patch, head into Settings, and tap on About Phone. Find the heading for the Android security patch level. If it’s April 1, 2016 or newer, you’re all set. If not, you can always contact the manufacturer of your phone and find out when the update will take place.

Product Review

Lenovo’s Smart Tab P10 offers Android and Alexa but masters neither

If you’ve always fancied a smart display, but you need an Android tablet as well, then the Lenovo Smart Tab P10 could be the affordable device you’ve been dreaming of. Yet obsolete software and mediocre performance hold it back.
Smart Home

The best smart home devices that work with Amazon Alexa

Ever since Amazon added the Dot, Tap, and Show to its Echo lineup, Alexa-enabled devices have exploded. Here's a guide to everything Alexa can control in your smart home, from lights to locks to appliances.

Google recalls Titan Security Key due to hijack risk

Google is offering a free replacement for the Bluetooth Low Energy version of the Titan Security Key. A misconfiguration was discovered in the device, though hackers looking to exploit the vulnerability will find it difficult to do so.

How to use recovery mode to fix your Android phone or tablet

If you’re having a problem you can’t seem to resolve with your Android device, or maybe you want to update it or wipe the cache, recovery mode could be what you’re looking for. Here's how to get your Android phone into recovery mode.

It’s nearly impossible to lose this solar-powered location-tracking wallet

Smart wallets have soared in popularity in recent years, offering tracking and RFID blocking, so I tried out the Ekster Parliament smart wallet with solar-powered tracker card to see whether they're worth opening your old wallet for.

How does fast charging work? Here’s every single standard compared

Modern smartphones can charge in mere minutes instead of hours. How does fast charging work? Here's a guide to the most popular standards, including Qualcomm Quick Charge, USB Power Delivery, OnePlus Dash Charge, and more.

Adobe Premiere Rush now allows Android users to edit video without the laptop

After launching on desktop and iOS, Adobe Premiere Rush, a streamlined video editor, is now available on Android. Premiere Rush is designed for social media projects and non-professional editors.

Apple Watches get steep smartwatch discounts for Memorial Day

If you've been thinking about picking up a new wearable, an Apple Watch is one of the best smartwatches you can buy. With Memorial Day sales from Walmart and Amazon springing up all over the place, now is a great time to save.

Best Memorial Day sales 2019: Best Buy, Walmart, and Home Depot drop discounts

If you're looking to save big on some shiny new stuff for Memorial Day 2019, we've gathered everything you need to know into one place. Find out where to save the most money before the summer hits its stride.

Amazon Japan may be stopping sales of the P30 in response to U.S. Huawei ban

The U.S. Commerce Department has added Huawei to its "Entity List." Google, Intel, and ARM are all confirmed or rumored to be ceasing business with the company, which may have disastrous effects on Huawei.

The world can be your oyster with a little help from the best travel apps around

Traveling doesn't need to be a time-consuming nuisance. Our handpicked selection of the best travel apps will keep things simple, whether you need cost comparisons for hotels or directions to renowned eateries.

Leaked cases show off the new iPhone's squared camera module

The last iPhones just launched, but rumors about the next iPhone are already surfacing. Apple's 2019 flagship could include a variety of upgrades ranging from a new design to enhanced features.

Hey Google, let’s order out: Food delivery comes to Search, Maps, and Assistant

If you love your takeout, then Google's new online food ordering system is sure to bring a smile to your lips. You can now order takeout from Google Search results, Google Maps, or by using Google Assistant and pick your delivery service.

Honor 20 Series is Google certified, says Honor; 20 Pro release date coming soon

Honor has launched the Honor 20 Pro and the Honor 20 at an event that took place in London. The new smartphone is surprisingly compact, with an impressive four-lens camera for taking stunning shots, day or night.