Failure to Qualcomm chip leaves you vulnerable million devices … – Computerworld

A vulnerability in an Android component shipped with smart phones that use Qualcomm chips endangers the message history and connections of users.

flaw was discovered by security researchers at FireEye and was corrected by Qualcomm in March. However, since the vulnerability was introduced five years ago, many devices will probably never receive the patch because they have more support from manufacturers.

The vulnerability, which is tracked as CVE-2016-2060, is located in an Android component called “Netd” Qualcomm modified to provide additional tethering capabilities. Malicious applications could exploit the flaw to execute commands as the “radio” system user who has special privileges.

Since the Qualcomm chips are quite popular among manufacturers, researchers at FireEye estimate hundreds of Android models were affected. And as there are more than 1.4 billion active Android devices in the world, it probably means that the fault is present in millions of devices.

According to a security advisory from Qualcomm Innovation Center, the flaw affects all launches with Android Jelly Bean, KitKat and Lollipop.

to exploit the vulnerability, a malicious app only need the permission widely used “ACCESS_NETWORK_STATE” to access the API exposed by the modified service of Qualcomm. This makes it difficult to detect attack attempts.

“Any application could interact with this API without triggering any alerts. Google Play will probably not mark it as malicious, and FireEye Mobile Threat Prevention (MTP) not detected initially. It is hard to believe that any antivirus alert about this threat, “said Jake Valletta, from Mandiant, a subsidiary of FireEye.

The devices running Android KitKat (4.4) or later are less affected than devices older because they already come with the Security Enhancements mechanism for Android (SEAndroid) enabled by default. This makes it almost impossible to steal data from other apps by this failure.

Google included the CVE-2016-2060 vulnerability in its May security bulletin published this week.