American cyber-security firm FireEye, specifically its Mandiant unit, discovered a critical vulnerability in the Lenovo Vibe P1 smartphone last year that allowed hackers to gain root access to the smartphone. The company informed Lenovo about it soon after, and now a security fix has finally been rolled out to compatible phones.
Lenovo has acknowledged the vulnerability, and it notes that the flaw “allows the user or an attacker with physical possession of a device that is not protected with a secure lock screen, e.g. PIN/ Password, to elevate privileges to the root user (commonly known as ‘rooting’ or ‘jailbreaking’ a device) with the ability to modify the device’s operation and functionality in myriad ways.” The fix has been rolled out to a subset of Lenovo Vibe phones, and it is recommended to be installed immediately, specifically on smartphones running on versions earlier than Android 6.0 Marshmallow.
The Chinese consumer electronics giant has also noted some mitigation strategies for users with older Android versions, and this includes disabling the Android Debug Bridge option from the Android Developer Options menu on the smartphone. They’ve also urged these users to enable lock screen authentication mechanisms like a PIN or password protection.
If you own a Lenovo Vibe phone, check for an update by heading to Settings > About Phone > System updates. All the affected devices are listed here. There are also a number of listed phones that don’t have any software fix, and they are forced to only resort to mitigation strategies listed above.
For this exploit to work, physical access to the device is necessary, therefore you may not see the exploit “in the wild”. However, as privacy is paramount, it is recommended to update compatible devices to the most recent software package or protect their devices using strong lock screen settings.