App used to root Nexus 5, Nexus 6 found to have exploited 'local elevation of privilege vulnerability,' but .
Google has issued a supplemental update to its monthly Android Security Advisory after a critical flaw in the Linux kernel was found to be exploited in a rooting app. The flaw as originally reported was scheduled to be patched in a coming monthly security update, but that changed once researchers from Zimperium were able to demonstrate an exploit, and an application using it to root a Nexus 5 and a Nexus 6 was found in the wild. (Google did not name the rooting application in question.) The issue was then rated as a Critical severity issue, and the patch has been sent to AOSP and Android partners.
While software exploiting the issue is available, Google reminds us that it has checks in place — in Google Play itself (which doesn't allow rooting apps), as well as outside the Play Store — that will keep any possible consumer impact low. Verify Apps (Google's "Bouncer") already has been updated to detect and block installation of apps that are attempting to exploit this vulnerability both within and outside of Google Play. In addition, any Android device using Linux kernel version 3.18 or higher is not vulnerable. (The new Samsung Galaxy S7, for example, is on kernel version 3.18.20.)
To provide a final layer of defense for this issue, partners were provided with a patch for this issue on March 16, 2016. Nexus updates are being created and will be released within a few days. Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.
While the potential impact from this particular issue seems low, it's nice to see any critical issue being addressed in a timely manner and outside of the normal patch schedule. Interested parties can learn more at Google's security advisory page.