Chipmaker works with FireEye and Mandiant to identify code vulnerability in Android software
A vulnerability in Android phones powered by Qualcomm processors could have put millions of smartphone users at risk, security researchers have warned.
Specialists at FireEye company Mandiant found that software included with Qualcomm chips had a flaw that could have allowed hackers to view personal information stored on a mobile device, including SMS history and call history, and even access the internet on the device.
The flaw, named as CVE-2016-2060, could have existed as long ago as 2011, and could be in place on hundreds of different models of smartphone, the researchers warned, as many of the world’s leading Android devices feature hardware built by Qualcomm.
The flaw, defined as a lack of input sanitisation of the “interface” parameter of the “netd” daemon, which is used as part of the Android Open Source Project (AOSP).
This was included to give smartphones better networking qualities, such as the ability to tether to another device, but opened it up to attack.
Mandiant says it can be exploited either by a hacker physically unlocking an unprotected device, or by the user installing a malicious application.
The latter is particularly worrying as Mandiant says that any application could have interacted with the affected software without triggering any alerts, even in Google Play, as the permissions required to perform the install is the same as that requested by millions of applications, so users would be unaware they were downloading a threat.
“It’s hard to believe that any antivirus would flag this threat,” Mandiant wrote in a blog.
Qualcomm confirmed that Manidant told it about the flaw back in January, with affected users being informed of any issues in March, although individual OEMs will need to issue their own updates to fix the flaw.
“Enabling robust security and privacy is a top priority for Qualcomm Technologies, Inc,” a company spokesperson told TechWeekEurope. “Recently, we worked with Mandiant, a FireEye company, to address the vulnerability (CVE-2016-2060) that may affect Android-based devices powered by certain Snapdragon processors. We are not aware of any exploitation of this vulnerability. We have made security updates available to our customers to address this vulnerability.”
FireEye noted that Qualcomm was “extremely responsive” throughout the entire process, and fixed the issue within 90 days – a window set by Qualcomm, not FireEye.
Android is no stranger to being the subject of cybercrime attacks, with Google needing to continually extend and improve the security needs to ensure users stay safe.
Last month, Google said that it now checks over six billion installed apps on 400 million devices every day, with over one billion devices worldwide now protected by its security services.
Are you a security pro? Try our quiz!