A serious vulnerability in many versions of Android that allows an attacker to gain complete control of the target phone by exploiting an app in the secure portion of the operating system still affects about 60 percent of enterprise Android devices, even though a patch was released in January.
The vulnerability is in some software from Qualcomm and the attack would require that a user install a malicious app. Once the app is installed, the attacker would be able to exploit the flaw in Qualcomm’s Secure Execution Environment to eventually gain complete control of the underlying Linux kernel. The QSEE is a trusted portion of the Android operating system in which trusted apps interact with trusted memory and hardware. Under normal circumstances, code from the untrusted portion of the OS shouldn’t be allowed to run code in the QSEE. The vulnerability, combined with some other conditions, allows this to happen.
“An attacker running code in the Normal World could take advantage of a vulnerability in mediaserver to exploit an application running in the Secure World. Then the attacker could modify the Normal World’s Linux kernel, allowing the attacker to compromise the whole operating system to whatever ends they’re trying to achieve,” a post on the issue from Duo Labs says.
Duo Labs researched the vulnerability and attack scenarios, and also looked at how many Android devices are still vulnerable four months after the fix was released. It turns out to be a lot of devices.
“While this doesn’t affect all phones running Android, it does affect the vast majority that have Qualcomm processors. According to Duo’s data, 80% of the Android phones that have our app are based on a Qualcomm chipset, usually in the well-known Snapdragon series (e.g., Samsung’s Galaxy S5 and S6, Motorola’s Droid Turbo, and Google’s Nexus line of phones). Of the Qualcomm-based phones seen by Duo, only 25% have applied the January 2016 (or later) monthly security update, leaving 60% of all Android phones vulnerable,” Duo said.
The attack scenario described by Duo Labs requires that the attacker have a vulnerability in the mediaserver component of Android, a commodity that is not in short supply. Exploiting that flaw would allow the attacker to use mediaserver’s permissions to talk to the QSEE trusted apps, known as trustlets. Using that communication ability, the attacker could then exploit a vulnerability in any of those trustlets. Gal Beniamini, the researcher who disclosed this bug, found a flaw in the Widevine QSEE trustlet.
“Beniamini found such a vulnerability in the “widevine” trustlet, which manages encryption keys for Widevine’s DRM software. They exploited that to ‘hijack’ the Normal World’s Linux kernel; no kernel vulnerability required. Once an attacker has arbitrary access to the kernel, it’s game over; you can’t trust anything running in the Normal World,” Duo Labs said.
The main reason that so many Android devices remain vulnerable to this issue four months after a patch was released is that carriers and device manufacturers control the security update process for Android users. Google pushes out monthly security patches for Android and users of its Nexus devices get those right away, but users of other Android phones have to wait for manufacturers and carriers to build, test, and release the patches. And those patches don’t always come in a timely manner.
“An analysis of Duo’s dataset of enterprise devices finds that 27% of Android phones are too old to receive the monthly updates, so they’re permanently vulnerable as well, unless (a) they update to Android 4.4.4 or later and (b) their manufacturer and carrier have built and approved a patch for that version of Android on that model,” Duo Labs said.