A security researcher has said that hundreds of different models of Android devices are vulnerable to leaking data to seemingly innocuous apps.
Announced by FireEye in a blog post, the vulnerability allows an attacker to potentially do things like view the SMS database and call history, as well as changing system settings. Unfortunately, the problem stems from a Qualcomm software package, which is used across hundreds of different devices, including as part of the Cyanogen package too in some instances.
“The vulnerability was introduced when Qualcomm provided new APIs as part of the ‘network_manager’ system service, and subsequently the ‘netd’ daemon, that allow additional tethering capabilities, possibly among other things. Qualcomm had modified the ‘netd’ daemon,” FireEye says.
What’s the damage?
The most at-risk devices are those running older versions of Android, though newer ones are still vulnerable to a lesser extent. FireEye confirmed it was present on devices running Android Lollipop (5.0), KitKat (4.4) and Jelly Bean MR2 (4.3). It’s been present as far back as Ice Cream Sandwich in 2011, though.
The real threat for users is that if an attacker was to try and exploit it, no red flags would be raised by Google Play or your device – it depends on an expected operation.
Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it. It’s hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn’t tip the user off that something is wrong.
Naturally, FireEye told Qualcomm and Google about the issue, with the latter including it in this month’s security bulletin. Qualcomm fixed the problem within 90 days of being informed about it.
Despite this, FireEye says that it’s “particularly difficult to patch all affected devices, if not impossible” due to the vulnerability being contained in active open source code.
The silver lining?
There’s no evidence that it’s being exploited yet, so there’s no need to worry too much for now. That’s not to say that it never will be though, given that Android is now active on approaching 1.5 billion devices, many of which aren’t using the newest version of the OS.