Your Android phone likely suffers from a serious vulnerability that could allow a hacker to take over the entire device if you make certain errors. Here is what you need to know.
What is the problem?
Last week, an almost decade old bug was discovered in Linux, the operating system upon which Android is built. The bug allows what security professionals term "privilege escalation" - that is, it allows a user (a human or a computer process running as part of an app or the like) who is authorized to perform certain functions to perform others that he, she, or it should not be able to do. This problem also impacts Android (at least when running on the ARM chips used in smartphones and tablets) - meaning that apps that exploit the vulnerability might be able to circumvent Android security and do all sorts of bad things without you knowing.
How is this possible (in simple terms - not techie speak)?
The bug - now termed Dirty COW (from "Dirty Copy-On-Write") - causes authorization controls to fail during certain situations of "race conditions" (explained below), thereby allowing regular apps or programs to run with the same permissions as if it were the operating system (as "root") and circumvent built-in security mechanisms.
In layman's terms, you can think of a "race conditions" problem as being one where two computer processes whose actions are interdependent (i.e., their actions and outputs change based on one another's actions) are run on a device simultaneously - and often repetitively - almost like in "race." Ultimately, the system which is trying to manage both rapidly running processes and keep all the instructions from the two processes in proper order relative to one another might slip and execute at least one instruction out of the proper sequence relative to the other process - and thereby cause unintended results.
Isn't this far fetched? Is this vulnerability real?
While race conditions are often difficult to reproduce - since one cannot control the timing of the execution of individual instructions within a device's CPU, and vulnerable code may execute correctly 99.9%+ of the time - in the case of Dirty COW, demonstrations have shown that the improper behavior due to race conditions can be triggered in less than a second. You read that correctly.
The problem of Dirty COW has been demonstrated with scary results (the explanation has been oversimplified for the sake of non-technical folks): If a program loads two files into a memory - one that it is allowed to read and run, but has no permission to modify, and one that it can modify (e.g., a copy of the first read-or-execute-only file) - and then writes repetitively and rapidly to the file to which it has permission to write while simultaneously telling the operating system that the memory used for the non-changeable file can be temporarily borrowed for use by the writing process since the read-and-execute only file is not as important, eventually the system makes a mistake and makes the edits to the memory being used for the read-or-execute-only file. Because various system tools that run with system permissions exist within Linux and Android as read-and-execute-only files, this means that by exploiting Dirty COW someone could do serious damage by creating rogue programs that "run as root."
In fact, an exploit has been demonstrated on Linux as to how an ordinary user with access to a computer running Linux can obtain root user privileges - that is, become able to run anything on the computer and impact any other users' materials on the device - by exploiting Dirty COW, to, without authorization, replace the contents of programs that run by the system with code supplied by the user. A similar vulnerability exists on Android.
For those interested in more technical detail, here is a good video.
What could happen to my Android device if I am not careful?
A rogue app that obtains system level privileges can circumvent Android's security features including its "sandboxing" that protects against apps accessing other apps' data. The rogue app could likely write to files that it should not have access to, change system configurations, or even install other malware that runs with system-level privileges. Malware running with system-level permissions could potentially steal your data record your calls and text messages, hijack your social media and online banking sessions, and wreck all sorts of havoc.
What do I need to do to protect myself?
1. Smartphone vendors will issue patches - in the form of system updates - that include fixes for Dirty COW. Install the updates.
2. Unlike a vulnerability that allows remote hackers to attack your device, DirtyCOW cannot be exploited unless rogue code is somehow installed on your device. Criminals certainly want to get that code onto your phone - but you are likely the one who would put it there. So, think twice before installing an app from a third-party market that is not well established. There are risks that such apps are less vetted for malware that apps coming from major app stores (such as Google Play or Amazon's App Store) - and Dirty COW makes it clear how bad the risks can be. Likewise, if an app is not issued by a known software provider, check how many people have installed the app before you - unless there is some critical reason that you need a particular app, it might be wise to be the first to try a new app. And, obviously, do not install apps by clicking links in emails or text messages. If you exercise good security hygiene you should be fine.