Android usually maintains a monthly security patch schedule, but Google has released an out-of-cycle fix for a serious vulnerability that affects a majority of devices. The company is working on a security update for Nexus devices and has released the patch for other OEMs to implement.
A large number of Android devices (including all Nexus devices) running kernel versions 3.4, 3.10, and 3.14 are affected by a vulnerability that allows an app to gain root access. Only newer devices, like the Galaxy S7, running Linux kernel 3.18 or higher are immune from this issue.
Google originally intended to patch up the issue with an upcoming security patch, but a third-party security firm was able to abuse the vulnerability on a Nexus 5. Since then, a rooting app for the Nexus 5 and 6 that abuses the vulnerability has been made publicly available.
This issue is rated critical in severity due to its ability to execute arbitrary code “leading to local permanent device compromise.” Affected users would have to reflash the entire operating system, thereby losing their data, to fix the issue. Google notes that they have blocked rooting applications that take advantage of the vulnerability from the Play Store and using the Verify Apps security feature. However, an individual could still be tricked into manually installing the app.
Google will release a security update in the coming days to Nexus devices, while it will be up to OEMs to implement the fix as soon as possible.