Linux Vulnerability Affects 1.4 Billion Android Devices
By Paul Liu
Saturday, August 28th, 2021

Security researchers working for San Francisco based security firm Lookout Inc. have come across a major security bug which affects 80% of Android devices currently in use (over 1.4 billion Smartphones and tablets). The vulnerability is said to occur because of a kernel flaw (CVE-2016-5696) present within the Linux operating system. The flaw made into version 3.6 of Linux and it was carried over to Android 4.4 (KitKat) way back in 2012. Since the vulnerability was discovered very recently, it is still present in latest versions of Android (6.0 and even Android Nougat).
The vulnerability in question affects the Transmission Control Protocol (TCP) available within Linux operating system. TCP is a major component of online communication since it facilitates reliable and streamlined data delivery between servers and applications. The CVE-2016-5696 flaw allows attackers to hijack internet traffic, spy on unencrypted connections, terminate encrypted connections, redirect Tor traffic to malicious nodes and even inject malware into target devices from a remote location. The vulnerability is especially serious since Linux is the operating system of choice for a majority of web servers plus it is also present in many electronic devices in one form or another.
As per the information provided by Lookout, it would take just 10 seconds for an attacker to determine whether an Android device is connected to an unencrypted website through the flaw. What’s more, once the authenticity of the connection is established, the hacker can inject malicious code into the target device in as little as 45 seconds. Considering that there are countless number of unencrypted Wi-Fi networks at public places, hackers can make use of the bug to target hundreds of Android devices within minutes.
Once an unencrypted online connection is detected, the exploit allows hackers to inject malware into the target device via a malicious Javascript code. The code can be designed to mimic the behavior of the website that the user is visiting to make its behavior look more authentic. For instance, the user could be shown a timeout pop-up window and asked to re-login to access features of the site. As you may have guessed, the pop-up window is actually the malicious code deployed to steal user credentials. The bad news is that the vulnerability can not only be used via browsers, it can even be exploited via apps (such as email and messaging apps).
Lookout recommends making use of encrypted connections to remain safe from the vulnerability. If the website or app that you frequently use do not use HTTPS protocol then consider subscribing to a VPN service. And if you are using a rooted Android device, you can avoid becoming a target of the vulnerability by using sysctl tool and changing the value of the net.ipv4.tcp_challenge_ack_limit to an extremely large value.
Google, on its part, has assured Android users that it is taking appropriate steps to protect them from the vulnerability. The company is expected to roll-out a patch for Android soon after the Linux OS developers patch the flaw within the OS kernel. While there is no definite timeline available for the release of the patch, experts believe that it should be available along with September or October monthly security updates of Android.
August 28, 2021