Android has acquired, warranted or not, the reputation of being a relatively less secure mobile platform. In some cases, it’s attributed to the freedoms that the operating system affords developers and users. At other times, the weakness can be found inside Android’s core, like the Stagefright flaw. This time, an equally frightening and far reaching security hole has crept into the Android codebase via one of Google’s own partners. In introducing new networking features like tethering for its chips, Qualcomm inadvertently created a way for hackers to gain access to private user data, potentially affecting thousands, if not millions, of Android devices out in the wild.
To be clear, this security flaw only affects Qualcomm’s chips and those particular using specific code from Qualcomm. And in the company’s defense, it acted quickly once it was informed of the flaw. The chip maker introduced new API in 2011 as part of Android’s network_manager system service and eventually the netd process. The API allowed the “radio” user, the system account that is tied to networking functions, to get access to data that it normally couldn’t. This included being able to view the user’s SMS or phone call history.
There are a couple of factors that complicate this vulnerability, making it potentially dangerous. Malicious apps need only use official Android API to use this exploit. And since the API is official, it won’t be so easily detected by automated anti-malware tools. Even FireEye, who disclosed the vulnerability, didn’t initially detect it with their tool. A user need only be duped into downloading a seemingly innocent app that asks permissions for network usage to become a victim.
The scope of the vulnerability is also difficult to determine, thanks to Android fragmentation when it comes to versions. The API in question goes as far back as 2011, when 2.3 Gingerbread was the current version. The vulnerability was also observed in Lollipop (5.0), KitKat (4.4), and Jelly Bean (4.3). The problem, however, is worse for older versions that don’t have more up to date security systems in place and where the “radio” user has almost untethered access to data.
The slightly good news is that there has been no active use of the exploit, although FireEye also admits that once exploited, there is really no way for the user to know about it. Qualcomm has already patched the affected parts of the software and Google itself has issued a security bulletin about it, filed under the CVE-2016-2060 vulnerability. Sadly, it’s a completely different question of when and if those fixes will arrive on consumers’ handsets. Older devices have even less hope here. The situation is again reminiscent of the Stagefright situation, which will probably put Android’s fragmentation under scrutiny again.