A widespread vulnerability has been discovered that affects Android devices going back a whopping five years. It gives attackers access to victims’ SMS databases and phone history, and allows them to access the internet—all undetected.
The issue affects both flagship and non-flagship devices that use Qualcomm chips and/or Qualcomm code, meaning that hundreds of models are affected and likely millions of gadgets. Mandiant’s Red Team has confirmed the vulnerability on devices running Lollipop (5.0), KitKat (4.4), and Jellybean MR2 (4.3) and Ice Cream Sandwich MR1 (4.0.3)—meaning that it’s mostly older devices that are affected.
Exploiting the flaw requires the attacker to have physical access to an unlocked device, or, the victim can be tricked into installing a malicious application on the device.
“It should be noted that once the vulnerability is exploited, there is no indication to the user that something has happened. For example, there is no performance impact or risk of crashing the device,” Mandiant said in an analysis. “Any application could interact with this API without triggering any alerts. Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it. It’s hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong.”
The flaw exists in an open-source software package developed and made freely available by Qualcomm that is available from the Code Aurora Forum. It permits local privilege escalation to the built-in user “radio,” according to Mandiant. The vulnerability was introduced when Qualcomm provided new APIs as part of the "network_manager" system service.
Qualcomm has addressed the issue and notified all of its OEM customers in early March 2016. The OEMs will now need to provide updates for their devices.
But, it’s unlikely that all or even most vulnerable devices will be fixed.
“People are using the code for a variety of projects, including Cyanogenmod (a fork of Android),” the researchers noted. “The vulnerable APIs have been observed in a Git repository from 2011, indicating that someone was using this code at that time. This will make it particularly difficult to patch all affected devices, if not impossible.”
Photo © GandiLab