A five-year-old Android vulnerability disclosed today affects hundreds of different device models going back to Jelly Bean 4.3. Older devices are at the greatest risk; newer devices running Android with SE Android, the OS’ implementation of Security Enhanced Linux, are at a lesser risk.
The vulnerability allows attackers to escalate privileges on a device, leading to further attacks such as stealing SMS or call logs. Researchers at FireEye’s Mandiant Red Team found the flaw, CVE-2016-2060, in Qualcomm software available from the Code Aurora Forum.
Qualcomm patched the affected software and moved a fix to OEMs in March. As with other Android patches, OEMs must push updates to devices. Mandiant cautions, however, that it’s likely many devices will not be patched. The vulnerable APIs, for example, were found in a 2011 git repository, meaning that the code has been in circulation for five years and could be in an untold number of devices.
“This will make it particularly difficult to patch all affected devices, if not impossible,” Madiant said in its advisory, adding that it has not aware of public exploits.
The issue was privately reported in January, and Mandiant said that Qualcomm was responsive and set a 90-day deadline for a fix.
Researchers said the vulnerability occurs from a lack of input checks against the Android netd daemon’s interface parameter.
“The vulnerability was introduced when Qualcomm provided new APIs as part of the ‘network_manager’ system service, and subsequently the ‘netd’ daemon, that allow additional tethering capabilities, possibly among other things. Qualcomm had modified the ‘netd’ daemon,” Mandiant said in an advisory.
The scope of the flaw is uncertain. Qualcomm chips and code are rampant in Android devices, including most mainstream commercial handsets and tablets.
“To provide some API numbers, Android Gingerbread (2.3.x) was released in 2011. This vulnerability was confirmed on devices running Lollipop (5.0), KitKat (4.4), and Jellybean MR2 (4.3), and the Git commit referenced in the post is Ice Cream Sandwich MR1 (4.0.3),” Mandiant said in its advisory.
To exploit the vulnerability, an attacker would need physical access to a vulnerable device, or would have to load the exploit onto an application and entice the user to download and execute it.
Researchers said it’s unlikely that security software would be tripped by such an application because it requires permissions generally requested and approved by default for millions of applications.
“On older devices, the malicious application can extract the SMS database and phone call database, access the Internet, and perform any other capabilities allowed by the ‘radio’ user,” Mandiant said in its advisory.
Newer devices are less affected, the researchers said, but a malicious app could still modify some system properties managed by Android.
“The impact here depends entirely on how the OEM is using the system property subsystem,” Mandiant said.
Technical details were published today in a blog post.