There is an old, high-severity vulnerability in Android that could allow an attacker to gain access to a user’s SMS database and phone history. The bug has been in Android for at least five years and affects a huge number of Android devices.
The vulnerability lies in a software package that Qualcomm maintains and it was brought into Android when the company contributed an API to the Android Open Source Project in 2011. Researchers at FireEye’s Mandiant Red Team discovered the flaw and worked with Qualcomm, which has released a fix for it.
“CVE-2016-2060 is a lack of input sanitization of the ‘interface’ parameter of the ‘netd’ daemon, a daemon that is part of the Android Open Source Project (AOSP). The vulnerability was introduced when Qualcomm provided new APIs as part of the ‘network_manager’ system service, and subsequently the ‘netd’ daemon, that allow additional tethering capabilities, possibly among other things. Qualcomm had modified the ‘netd’ daemon,” FireEye said in an analysis of the vulnerability.
An attacker could exploit the vulnerability in a couple of ways, including through the use of a malicious app on a vulnerable device. An attacker also could exploit it through physical access to an unlocked phone, although at that point he wouldn’t need a vulnerability to access texts and phone history. A malicious app that exploits this vulnerability likely wouldn’t give the user any indication of what’s going on.
“Any application could interact with this API without triggering any alerts. Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it. It’s hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn’t tip the user off that something is wrong,” FireEye said.
The severity of the problem differs depending upon the age of the Android device, with the effects being more severe on older handsets.
“On older devices, the malicious application can extract the SMS database and phone call database, access the Internet, and perform any other capabilities allowed by the ‘radio’ user,” FirEye said.
“Newer devices are affected less. The malicious application can modify additional system properties maintained by the operating system. The impact here depends entirely on how the OEM is using the system property subsystem.”
Qualcomm released a patch for the vulnerability, which was included in the latest Android security update released May 2. FireEye researchers said they have not seen this vulnerability being exploited actively at this point.