Is the Towelroot tool a simple way for Android smartphone users to gain root access on their devices or an inadvertent proof-of-concept that shows the way to cybercriminals?
TowelRoot was released only days ago by noted white hat George Hotz (aka 'GeoHot'), who made his name jailbreaking the supposedly inpregnable iPhone, iPad and Sony PS3, gaining him wide recognition. Using the software makes it trivial for the owner of a wide range of Android handsets running 4.4 KitKat to root their device, over-riding all security and gaining complete control.
Hotz’s target this time appears to have been the Samsung S5, which had an $18,000 (£10,500) bounty sitting on its head for anyone capable of gaining root access.
Normally that would be that but the complicating factor is that the tool gains this access by exploiting the recent Linux kernel bug, CVE-2014-3153, published by another well-known Pwnium white hat, Pinkie Pie, on 5 June.
Although it was not Hotz's intention, some now see TowelRoot as a handy proof-of-concept for cybercriminals looking for a way of packaging the exploit into malicious apps.
“Right now this vulnerability is only used by the rooting tool and has yet to show up in any malicious sample. Learning from the past, we can assume that it is only a matter of time until exploits for this vulnerability are distributed through other channels,” said Lacoon Security vice president of R&D, Ohad Bobrov in a blog.
In addition to the Samsung S5 (running on Verizon and AT&T), affected devices include the Motorola Razr HD and Razr MAXX HD, LG’s G Flex, and a clutch of Sony Experia models. In principle other devices are probably affected.
The flaw poses a risk to Linux users too but was at least rapidly patched; Android poses a much greater problem because it requires device vendors and mobile networks to implement a fix. This will take time and might in some cases never happen at all.
It is a certainty that Google Nexus device users will get a patch as part of a future update to Android 4.4.3 in the near future.
If cybercriminals do take the hint, malware will turn up on third-party app sites. TowelRoot's appearance suggests Android handset makers need to up their game when it comes to fixing flaws.