It seems like a new, dangerous Android exploit is uncovered every month or two. The latest headliners are NightMonkey and Chronos from the list of CIA hacks reported by Wikileaks, which have been billed as gaping security holes in the world's biggest mobile operating system.
The thing is, to the average user, these exploits are generally more helpful than harmful. So why do news sites report them with such a doom-and-gloom tone?
Well, a balanced perspective is nice, but fear gets clicks. Tech bloggers know this, so they look for the scariest angle when it comes to Android exploits—even though these same exploits can be used for good things like giving users root access in a single tap.
Android is a Linux-based platform, so it shares most of its underlying code with the desktop operating system. In the instance of Dirty COW, Towelroot, and several others from recent years, these hacks originated as Linux kernel exploits.
Once they've been translated to work on Android, most kernel exploits work roughly the same way: They run some code to escalate privileges and ultimately root the device. If you've ever struggled with a device that had no easy root method available to it, this might sound like a godsend.
But unlike Android, Linux allows users to gain root access by simply asking for it. This means that kernel exploits originating from Linux hackers weren't initially intended as a root method. Instead, their creators had more malicious motivations. Most of these types of hacks were envisioned as a way for an outside threat to gain root access on Linux without the end user knowing about it, which would then allow them to inject malicious code or steal existing data.
This is why the narrative is usually fear-based when these exploits are reported. Indeed, they started off as a malicious hack, so calling something like Dirty COW the "most serious Linux escalation bug ever" isn't factually inaccurate—but it's still fear-mongering when it's being reported as an Android problem.
The vast majority of Linux kernel exploits that were ported to work on Android came in the form of a simple app. With Towelroot, Dirty COW, and even Gooligan, this meant that an app needed to be installed before any hacking could be done.
Google screens apps for any Linux kernel exploit code, and if it's present, the app will be rejected from the Google Play Store. So for the average user who only installs apps from the official app store for Android, Linux kernel exploits are not a concern at all.
Well let's say the user somehow downloaded one of these apps from a third-party source such as an outside app store or even a link in a phishing email. They'd still have to ignore the warning message in their browser that told them how "This type of file can harm your device." Even then, Android would block installation, as the "Unknown sources" setting is toggled off by default.
But sure, let's take it a step further, why not. Say the user enabled the "Unknown sources" setting to allow for installation of third-party apps. In countries like China where the Google Play Store is unavailable, this is something many users have to do to install apps in the first place.
In most cases, Android's built-in malware scanner would prevent the app from being installed. This malware scanner is updated regularly, so it's pretty quick to block all of the latest malware apps. Generally, the only way to get around this one would be if the user turned on Airplane Mode after they downloaded the app, but before they installed it.
Bottom line, the user has to jump through several hoops to even get one of these apps installed on their phone, and it's extremely unlikely that this would happen accidentally. If you were a hacker looking to steal data and do generally-shady things with a kernel exploit on Android, this fact makes it an entirely unrealistic approach.
The only reason that Gooligan was able to do some damage with the kernel exploit approach was that Android's built-in malware scanner is not present on devices running 4.1 or lower. But that's only 5.7% of the world's Android devices, and even then, the user had to willfully modify settings and ignore warnings to be affected. At that point, a hacker would probably have a higher rate of success if they just asked people for their Google password and hoped that their victims didn't know any better than to give it to them.
On the other hand, if you were an end-user who just wanted to root your phone without using a computer, one of these kernel exploits could be used to make the process incredibly easy. You could tweak the settings I just mentioned, install an app with the kernel exploit embedded into it, then tap a button to get Superuser access.
When you were done there, you could re-enable all of Android's security settings, uninstall the app, then get a root management app like SuperSU to ensure that no other apps would get access to your device's internal file system unless you explicitly granted permission.
So the next time you see one of these big scary kernel exploits generating headlines, keep in mind that it will likely never be used in a real-world attack here in the states. And while you're reading one of these fire-and-brimstone articles, try to remember the name of the exploit—because it might just be how you end up rooting your next device.