There is a critical security vulnerability present in some Android devices based around a piece of Qualcomm code that has existed from at least 2011 and now referred to as CVE-2016-2060. The vulnerability was discovered by FireEye’s security research team and is associated with the ability for malicious code to exploit a local privilege escalation bug associated with the built-in user radio. This means that an attacker could look through sensitive device information and modify important settings on the handset. Qualcomm’s software package is available from the Code Aurora Forum and has been incorporated into the Android Open Source Project, often known as AOSP. Qualcomm introduced the vulnerability when they incorporated a suite of new APIs, application programmable interfaces, as part of additional tethering functionality incorporated into Android. Qualcomm modified the “netd” daemon, which in turn modifies a number of the services that will be running on an Android device. The vulnerability allows an “unsanitised” command to be executed, which could be used to inject malicious code into sensitive parts of the device as well as a number of permissions not available to third party applications, including the ability to act as the Bluetooth administrator, change the APN settings and disable the lock screen. This means that if the device is compromised, there is no indication to the end-user that there’s an issue.
Unfortunately, it is not known how many Android devices could be impacted by this critical vulnerability. Many manufacturers of many devices have used either the Qualcomm code or a Qualcomm chipset in their devices. Android 2.3 Gingerbread was originally released in 2011 and FireEye have identified the critical weakness present in at least Android Lollipop (5.0), KitKat (4.4) and Jellybean (4.3) versions. Any fork of Android that includes the Qualcomm-modified netd daemon could be potentially at risk, which includes CyanogenMod. Qualcomm were informed of the weakness back in January 2016 and worked in conjunction with FireEye to fix it, providing a fix for the issue in March 2016. The patch for the issue has been included in the May 2016 security fix patch as released by Google. From Android 4.4 KitKat and later, Android includes a number of security enhancements designed to restrict access to sensitive parts of the device and will help contain the potential damage from compromised devices. Google have stated that no Nexus device was or is at risk of the vulnerability but the FireEye team explain in their technical blog that manufacturers adjust how their devices operate at a detailed level and it is difficult to know what a malicious application could do to a device.
It’s encouraging to see that Google acted on the changes implemented into Android, although it has taken over four months for the patch to reach the market. Unfortunately, a great many devices with this vulnerability are unlikely to receive the security patch. And until we have a widespread attack on Android devices, manufacturers and carriers are unlikely to patch older devices with the latest security updates.