Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Local Root Exploit Found on Lenovo Smartphone

The Lenovo VIBE smartphone was found to include vulnerabilities that could allow an attacker with physical access to the device to gain root privileges.

The Lenovo VIBE smartphone was found to include vulnerabilities that could allow an attacker with physical access to the device to gain root privileges.

The flaws, Lenovo explains in an advisory, impact only devices that are not protected with a secure lock screen, such as a PIN or a password. By exploiting these issues, a local user or attacker can elevate privileges to the root user and can “modify the device’s operation and functionality in myriad ways.”

A total of three vulnerabilities that can be exploited in conjunction were discovered, but the company says that only devices running versions of Android earlier than 6.0 may be vulnerable to the root exploit.

Tracked as CVE-2017-3748, the first of the three bugs is created by improper access controls on the nac_server component.

The remaining two issues, CVE-2017-3749 and CVE-2017-3750, impact the Idea Friend Android and Lenovo Security Android applications, respectively. Designed to allow “private data to be backed up and restored via Android Debug Bridge,” the apps also allow “tampering leading to privilege escalation.”

The three bugs were found by Mandiant’s Red Team in May 2016 and were reported the same month. In charge of Lenovo’s mobile phone portfolio, Motorola has since corrected the vulnerabilities by redesigning “the affected mechanism to use a more secure process,” Mandiant Red Team’s Jake Valletta explains.

“Allowing backups on privileged applications can also be detrimental and should be disallowed. Just because an application is not running as a privileged Android user ID such as ‘android.uid.system’, does not mean that it cannot introduce vulnerabilities and be used to escalate privileges. Finally, applications should never allow executable code (Java classes, ELF binaries, or shared objects) within backups. This can be limited using a BackupAgent,” Valletta notes.

Because the exploit chain requires local, physical access to a device, it is “very unlikely to see this exploit ‘in the wild’,” the researcher says. However, users are advised to update their devices to the most recent software package their manufacturer has released, as well as to use strong lock screen settings to ensure their devices remain protected.

The complete technical details pertaining to the three vulnerabilities and the manner in which they can be exploited to gain root access are available in Valletta’s blog post.

A total of over 40 Lenovo phone models appear to be impacted by the issue, and the company says that no fix is available for 20 of them (15 other models aren’t impacted, as they have been already updated). Lenovo published a complete list of impacted devices.

Related: DHS Funds Smartphone Authentication Projects

Related: Just Watching a YouTube Video Can Compromise Your Smartphone

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.