Just when you might be wrapping your head around that QuadRooter saga, researchers from mobile security firm Lookout have suggested that a newly discovered Linux flaw essentially "allows an attacker to remotely spy on people who are using unencrypted traffic or degrade encrypted connections."
The Linux kernel vulnerability, which was revealed recently in TCP at the USENIX Security 2016 conference, was introduced in version 3.6 of the Linux OS kernel (released in 2012) and exists in all Android smartphones running version 4.4 KitKat or later, as pointed out in the security firm's blog post.
As Lookout points out, that's 80 percent of Android devices according to Google's latest distribution figures, or roughly 1.4 billion devices, based on Statista's figures.
The vulnerability means that attackers would be able to detect communications over a TCP connection, and if unencrypted, even insert malicious code into that traffic. "While a man in the middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack," Lookout said in its blog. Lookout has suggested that Android users should consider using VPN while browsing and also encrypt the communications to prevent them from being spied on.
As the exploit is relatively hard to execute, Lookout has assigned medium severity rating to the flaw but does clarify that the risk of "targeted attacks" is there. The underlying Linux OS kernel vulnerability is classified as CVE-2016-5696, and has been patched.
The security firm has said that even though the patch for the Linux kernel was created on July 11, with the latest developer preview of Android 7.0 Nougat, the kernel doesn't seem to be patched against this particular flaw.
Speaking to Ars Technica, a Google representative said the company was aware of the vulnerability and was "taking the appropriate actions". The representative went on to say that the Android security team rates the risk "moderate," as opposed to "high" or "critical" for many of the vulnerabilities it patches
Note, this is not the first Linux kernel vulnerability that has affected Android in the recent past, with Google in March admitting vulnerabilities in Android code based on Linux kernel versions 3.4, 3.10, and 3.14. The company had made available a patch to OEMs, and worked to remove the vulnerabilities from its own Nexus devices.
Last week, a set of vulnerabilities dubbed as QuadRooter surfaced and was claimed to affect roughly 900 million Android devices. According to researchers if any one of the vulnerabilities is exploited, an attacker can gain root access to the affected device.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.