Connect with us

Hi, what are you looking for?


Mobile & Wireless

Linux Kernel Flaw Exposes Most Android Devices to Attacks

A recently disclosed Linux kernel vulnerability caused by a TCP feature affects nearly 80 percent of Android devices, according to mobile security firm Lookout.

A recently disclosed Linux kernel vulnerability caused by a TCP feature affects nearly 80 percent of Android devices, according to mobile security firm Lookout.

The flaw, identified as CVE-2016-5696, is related to a specification designed to prevent off-path TCP spoofing attacks. The specification (RFC 5961) has been implemented in the Linux kernel since 2012 (version 3.6), but not in Windows, Mac OS X or FreeBSD-based operating systems.

Researchers from the University of California, Riverside and the U.S. Army Research Laboratory discovered that a vulnerability in this feature can be exploited by a blind, off-path attacker to intercept TCP connections between two machines on the Internet simply by knowing their IP addresses.

The attacker can track users’ activity, terminate the intercepted connection, and inject arbitrary data. In the case of HTTPS-protected communications, an attacker can only terminate the connection. It’s also worth pointing out that the attack only works against websites that have long-lived TCP connections, such as video, ad, news and chat services.

Experts from Lookout have analyzed the vulnerability and determined that in addition to Linux systems, it also exposes Android devices to attacks. The flaw impacts Android 4.4 KitKat and later, which, according to statistics from Statista, account for nearly 80 percent of Android installations, or roughly 1.4 billion devices.

The vulnerability was patched in the Linux kernel in July with the release of version 4.7. However, even the latest Android releases, including the developer preview of the upcoming Android Nougat, still use a vulnerable version of the Linux kernel.

“If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices,” Lookout explained.

Advertisement. Scroll to continue reading.

Until the Linux kernel is updated in Android, users can protect themselves against spying attempts by ensuring that the websites they visit use HTTPS. On rooted devices, users can leverage the sysctl tool to assign a high value to net.ipv4. tcp_challenge_ack_limit (e.g. net.ipv4.tcp_challenge_ack_limit = 999999999).

Lookout says there is no evidence that a proof-of-concept (PoC) exploit exists for the vulnerability and the company expects Google to address it with the next Android security updates.

Related: Linux Kernel Flaw Puts Millions of Devices at Risk

Related: Google to Boost Linux Kernel Defenses in Android 7.0

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.