Millions of Android smartphones and tablets are vulnerable to security attacks, Google has warned. The vulnerability, if exploited, gives an app unfettered root access, circumventing various Android security layers. Google has made available a patch to OEMs, and says it is currently working on a fix for the Nexus lineup.
Security researchers spotted an app in the Google Play, Android's marquee app store, which tries to leverage the vulnerability. Android inherited the flaw from Linux years ago. Interestingly, Linux developers fixed the bug in 2014, and it was later on flagged as a vulnerability early last year.
The vulnerability is present in all Android releases that are based on Linux kernel version 3.4, or 3.10, or 3.14, while those based on Linux kernel 3.18 or higher are not affected. Most Android 6.0 Marshmallow-based devices run on Linux kernel v3.18, however, different OEMs often use different Linux kernel versions - thus, it is hard to correlate Android version with kernel version.
Google also noted that it has published the patches for the flaw with OEMs, and also published them to the Android Open Source Project. It is up to manufacturers now how long they take before pushing the updates to their respective devices.