Google released an emergency patch to address a local elevation of privilege vulnerability in the Android kernel.
Deemed critical, the vulnerability can end up exploited by rooting applications to gain elevated privileges and run arbitrary code, which could lead to local permanent device compromise.
The issue affects all Android devices on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices, but devices using Linux kernel version 3.18 or higher are not vulnerable, Google officials said.
The elevation of privilege vulnerability in the Android kernel allowed local malicious applications to execute arbitrary code in the kernel. Thus, the affected device could suffer permanent compromise and possibly requiring a re-flash of the operating system, the company’s advisory said.
The vulnerability can end up exploited by rooting applications that users have installed on their devices, and Google is already aware of available apps.
Google said it has blocked the installation of software that abuses the flow, within Google Play and outside of Google Play, through Verify Apps.
Google’s advisory said the issue ended up discovered in the upstream Linux kernel and resolved in April 2014, but it wasn’t deemed a security flaw until last month.