Android devices are vulnerable to attack owing to a newly discovered bug that permits local privilege escalation to the device’s “radio”, according to FireEye.
Advertisement
A security flaw affecting hundreds of Android phones using Qualcomm chips potentially lets hackers access a phone’s SMS text messages, call log and internet browser.
CVE-2016-2060 has been described by security firm FireEye as “a lack of input sanitization of the “interface” parameter of the “netd” daemon, a daemon that is part of the Android Open Source Project (AOSP)”. Older devices are at the greatest risk; newer devices running Android with SE Android, the OS’ implementation of Security Enhanced Linux, are at a lesser risk. I’s now up to the OEMs to issue an update to its devices but given the diversity and range of products, there is a chance that many might not be updated. Chip maker Qualcomm knows about that like the best of them. The APIs were later part of another system service, “netd” daemon. While sometimes the vulnerabilities that are exploited by hackers are found in Android core, this time it’s Qualcomm who is responsible for introducing a serious vulnerability exposing private user data to rogue apps. Furthermore, the permission required to access these APIs has been requested by “millions of applications” which could lead to an overwhelming number of false positives through automated scans.
“What we notice is that the carriers are going to patch their most popular and current models while the others might not see security fixes so they remain vulnerable”, he said.
In Australia, telco carriers are the main conduit for Android device software updates but have had a habit of passing the buck to manufacturers when confronted about newly discovered vulnerabilities. “This vulnerability was confirmed on devices running Lollipop (5.0), KitKat (4.4), and Jellybean MR2 (4.3), and the Git commit referenced in the post is Ice Cream Sandwich MR1 (4.0.3)”, Mandiant said in its advisory.
In the case of the latest bug, Valetta said Qualcomm had been highly responsive to FireEye and worked conscientiously to a tight timeframe to patch its software and notify manufacturers. An attacker can exploit the flaw to gain physical access to an unlocked device as also install a malicious application on the device at will. Throughout the process, there is no indication to the user that an app is accessing their data.
Advertisement
The vulnerability was patched in the Android security patch that Google released on 1 May.
