An exploit being used to 'root' Android devices could be repackaged by attackers to compromise phones.
An exploit being used to 'root' Android devices could be repackaged by attackers to compromise phones.

An exploit being used by a simple application to ‘root' Samsung Galaxy S5 phones on Verizon and AT&T – and possibly all Android mobile devices released prior to June 3 – can easily be repackaged by attackers for malicious purposes, according to mobile security company Lacoon.

Users ‘root' their Android devices to gain more privileged control of the device, and enable actions not available to regular users. 

Towelroot, the recently released application by popular mobile hacker George Hotz, does this by exploiting a vulnerability – CVE-2014-3153 – for Linux kernel through version 3.14.5, according to a Monday post by Ohad Bobrov, VP of research and development with Lacoon.

Towelroot makes the process effortless – with a one-click interface, the application is said to easily ‘root' several devices running the Android operating system, including the popular Samsung Galaxy S5, according to the post.

On the flipside, the vulnerability can just as easily be exploited by attackers to gain access to those aforementioned Android devices, ultimately enabling cyber crooks to run malicious code, steal sensitive information, bypass enterprise data protection applications, and drop in backdoors for later access, according to the post.

“An attacker can package the exploit into any app and distribute it,” Michael Shaulov, CEO and co-founder of Lacoon, told SCMagazine.com in a Monday email correspondence. “Once the user opens the app, the exploit will run and will allow the hacker root access on the device.”

In an example, Shaulov said that an attacker might start by extracting the exploit from Towelroot and embedding it in a legitimate application, such as the popular game Angry Birds, using open source tools that are freely available.

Next, the attacker might add malicious code that will execute after the exploit is run, such as a rootkit or surveillance, Shaulov said, adding the malicious app would then be distributed either via drive-by download or through app stores.

“Currently [Towelroot] itself is not malicious, except [for] the fact that it will root the device, which will expose the user and the data to additional attacks,” Shaulov said. “Hopefully the vendors will issue a quick patch for the vulnerability.”

Seeking a bigger picture of what mobile devices enterprises prefer that employees use, Good Technology analyzed data generated from its customers that had at least five activated devices in the first quarter of this year – Android activations made up 27 percent of total device activations, and iOS activations made up 72 percent.