Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Local Root Exploit Found on Lenovo Smartphone

The Lenovo VIBE smartphone was found to include vulnerabilities that could allow an attacker with physical access to the device to gain root privileges.

The Lenovo VIBE smartphone was found to include vulnerabilities that could allow an attacker with physical access to the device to gain root privileges.

The flaws, Lenovo explains in an advisory, impact only devices that are not protected with a secure lock screen, such as a PIN or a password. By exploiting these issues, a local user or attacker can elevate privileges to the root user and can “modify the device’s operation and functionality in myriad ways.”

A total of three vulnerabilities that can be exploited in conjunction were discovered, but the company says that only devices running versions of Android earlier than 6.0 may be vulnerable to the root exploit.

Tracked as CVE-2017-3748, the first of the three bugs is created by improper access controls on the nac_server component.

The remaining two issues, CVE-2017-3749 and CVE-2017-3750, impact the Idea Friend Android and Lenovo Security Android applications, respectively. Designed to allow “private data to be backed up and restored via Android Debug Bridge,” the apps also allow “tampering leading to privilege escalation.”

The three bugs were found by Mandiant’s Red Team in May 2016 and were reported the same month. In charge of Lenovo’s mobile phone portfolio, Motorola has since corrected the vulnerabilities by redesigning “the affected mechanism to use a more secure process,” Mandiant Red Team’s Jake Valletta explains.

“Allowing backups on privileged applications can also be detrimental and should be disallowed. Just because an application is not running as a privileged Android user ID such as ‘android.uid.system’, does not mean that it cannot introduce vulnerabilities and be used to escalate privileges. Finally, applications should never allow executable code (Java classes, ELF binaries, or shared objects) within backups. This can be limited using a BackupAgent,” Valletta notes.

Because the exploit chain requires local, physical access to a device, it is “very unlikely to see this exploit ‘in the wild’,” the researcher says. However, users are advised to update their devices to the most recent software package their manufacturer has released, as well as to use strong lock screen settings to ensure their devices remain protected.

Advertisement. Scroll to continue reading.

The complete technical details pertaining to the three vulnerabilities and the manner in which they can be exploited to gain root access are available in Valletta’s blog post.

A total of over 40 Lenovo phone models appear to be impacted by the issue, and the company says that no fix is available for 20 of them (15 other models aren’t impacted, as they have been already updated). Lenovo published a complete list of impacted devices.

Related: DHS Funds Smartphone Authentication Projects

Related: Just Watching a YouTube Video Can Compromise Your Smartphone

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights