A flaw in mobile chip maker Qualcomm’s mobile processor, used in 60 percent of Android devices, allows attackers to take control over a targeted phone or tablet under specific conditions. Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver, coupled with a security hole in Qualcomm’s Secure Execution Environment (QSEE).
This QSEE vulnerability, discovered by Gal Beniamini last week, is troubling because it impacts both old versions of the Android operating system and new Marshmallow versions. Google has issued a patch for the exploit, however Duo estimates only a small fraction of Android devices have received the fix.
Duo researchers are careful to give perspective to its analysis of the QSEE vulnerability (CVE-2015-6639) and stress that while a majority of Android devices are vulnerable to attack via this exploit, security concerns aren’t as dire as attacks from the similar and more malicious Stagefright.
“Stagefright could be used to attack anyone remotely, and all you’d need is their cell phone number. This vulnerability requires that the attacker distribute the attack code via a malicious app,” according to a Duo Security analysis of QSEE.
“According to Google’s own numbers, 1 in 200 phones have a potentially harmful application,” said Kyle Lady, research and development engineer at Duo Labs. “QSEE exploit leverages the chaining together of two separate exploits to cause a phone to be completely controlled by a third party.”
He said that in January Google issued a security update that patched the problem for its Nexus phones and OEM handsets. But, Lady said, the age-old problem of wireless carriers dragging their feet when it comes to pushing the security update to devices is leaving 60 percent of Android users exposed to the QSEE vulnerability.
Additionally, Duo researchers estimate 27 percent of Android phones are too old to receive monthly updates and are, therefore, permanently vulnerable, according to Duo. Affected hardware includes Qualcomm Snapdragon series chipsets found in Samsung’s Galaxy S5 and S6, Motorola’s Droid Turbo, and Google’s Nexus line of phones.
The exploit takes advantage of the Android OS TrustZone, a feature that juggles Normal World and Secure World OS operations such as the management of cryptographic keys. Qualcomm’s version of TrustZone goes by name Qualcomm Secure Execution Environment. The vulnerability exists within the QSEE and its ability to interact with the TrustZone kernel – allowing access to the hardware-secure TrustZone file system and also the device’s system memory.
“An attacker running code in the Normal World could take advantage of a vulnerability in mediaserver to exploit an application running in the Secure World. Then the attacker could modify the Normal World’s Linux kernel, allowing the attacker to compromise the whole operating system to whatever ends they’re trying to achieve,” Duo Labs wrote.
Lady points to an Android mediaserver vulnerability that allowed an attacker to take advantage of the mediaserver’s special permissions to communicate with the QSEE. This attack requires a preexisting exploitation of some vulnerability in mediaserver by a malicious app.
“We’re assuming that the attacker has one, given how frequently ‘Critical’ or ‘High’ severity bugs in mediaserver are found and patched,” Duo Labs said.
Beniamini discovered after an attacker established communication with the QSEE’s trusted applications, if any of those have a vulnerability, the attacker can then take advantage of that applications level of kernel access and access and modify memory in the Normal World.
“This allows an attacker to hijack the devices kernel despite the fact there is no kernel vulnerability,” Lady said.
Remediation includes the January 2016 security patch, restricting access to third-party Android apps stores, or deploying a mobile device management solution for BYOD devices, according to Duo Labs.