With Dirty Pipes exploit, you could lose control of your Pixel 6 or Galaxy S22 phone
A new vulnerability called Dirty Pipe can affect devices running Android 12. Known as CVE-2022-0847 (that is its Common Vulnerabilities and Exposures number that is assigned to known security flaws), Dirty Pipe could be exploited to allow Android applications with permission to read your files, perform malicious actions against them, and possibly take over control of your phone.
The vulnerability affects Linux-powered devices such as Android and Google Home devices, Chromebooks, and more. The vulnerability was introduced to Android with Linux version 5.8 which was released in 2020.
According to a tweet from ArsTechnica's Ron Amadeo, only phones that were launched with Android 12 installed like the Pixel 6 series and the Galaxy S22 series are affected by Dirty Pipe. The developer who originally discovered the vulnerability used a Pixel 6 to report Dirty Pipe to Google. 9to5Google reports that the good news is that as of today, no one has exploited Dirty Pipe although some developers have created proof of concept examples that show how easily the vulnerability can be exploited.
Ars Technica's Ron Amadeo explains that Dirty Pipes affects only phones that were released with Android 12 and not updated to it
To make sure that your Pixel 6 or Galaxy S22 series phones don't have Dirty Pipes, go to Settings > Android Version and look at the Kernel version. If it is higher than 5.8, your phone is potentially at risk.
Android developer Max Kellermann discovered the vulnerability and on February 23rd Linux released fixes (5.16.11, 5.15.25, 5.10.102). The following day, Google merged Kellermann's fix into the Android kernel. Still, the CVE number was not included in the just-released March Security Bulletin which means that either Google will send out a special patch for the Pixel 6 series and Samsung for the Galaxy S22 series, or the vulnerability will be patched in April's security release.
To prevent your new Pixel 6, Pixel 6 Pro, Galaxy S22, Galaxy S22+, and Galaxy S22 Ultra from getting "Dirty Pipes," do not run apps that you can't trust. And for the ultimate in protection, do not install any new apps until we see that Google has pushed out the patch specifically for Dirty Pipes. That might be a huge ask, but why risk turning root access of your phone over to someone who would love to steal your personal information because you want to download your fifth weather app.
On April 4th, Google will release the April Security Patch and we will see whether Google has patched the vulnerability at that time. If it is patched earlier, we will let you know.
Things that are NOT allowed: