Connect with us

Hi, what are you looking for?


Mobile & Wireless

Linux Kernel Flaw Exposes Most Android Devices to Attacks

A recently disclosed Linux kernel vulnerability caused by a TCP feature affects nearly 80 percent of Android devices, according to mobile security firm Lookout.

A recently disclosed Linux kernel vulnerability caused by a TCP feature affects nearly 80 percent of Android devices, according to mobile security firm Lookout.

The flaw, identified as CVE-2016-5696, is related to a specification designed to prevent off-path TCP spoofing attacks. The specification (RFC 5961) has been implemented in the Linux kernel since 2012 (version 3.6), but not in Windows, Mac OS X or FreeBSD-based operating systems.

Researchers from the University of California, Riverside and the U.S. Army Research Laboratory discovered that a vulnerability in this feature can be exploited by a blind, off-path attacker to intercept TCP connections between two machines on the Internet simply by knowing their IP addresses.

The attacker can track users’ activity, terminate the intercepted connection, and inject arbitrary data. In the case of HTTPS-protected communications, an attacker can only terminate the connection. It’s also worth pointing out that the attack only works against websites that have long-lived TCP connections, such as video, ad, news and chat services.

Experts from Lookout have analyzed the vulnerability and determined that in addition to Linux systems, it also exposes Android devices to attacks. The flaw impacts Android 4.4 KitKat and later, which, according to statistics from Statista, account for nearly 80 percent of Android installations, or roughly 1.4 billion devices.

The vulnerability was patched in the Linux kernel in July with the release of version 4.7. However, even the latest Android releases, including the developer preview of the upcoming Android Nougat, still use a vulnerable version of the Linux kernel.

“If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices,” Lookout explained.

Until the Linux kernel is updated in Android, users can protect themselves against spying attempts by ensuring that the websites they visit use HTTPS. On rooted devices, users can leverage the sysctl tool to assign a high value to net.ipv4. tcp_challenge_ack_limit (e.g. net.ipv4.tcp_challenge_ack_limit = 999999999).

Advertisement. Scroll to continue reading.

Lookout says there is no evidence that a proof-of-concept (PoC) exploit exists for the vulnerability and the company expects Google to address it with the next Android security updates.

Related: Linux Kernel Flaw Puts Millions of Devices at Risk

Related: Google to Boost Linux Kernel Defenses in Android 7.0

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.