Millions of Qualcomm-Based Android Devices Vulnerable to Attacks: Report

Millions of Qualcomm-Based Android Devices Vulnerable to Attacks: Report
Highlights
  • The vulnerability affects smartphones with Qualcomm chips.
  • Attackers can potentially access your SMS data, call logs and more.
  • Qualcomm has issued a patch but it's up to OEMs to release updates.

Mandiant, a cyber-security firm, has released a report which states that devices running on Qualcomm chips or code written by the chip maker are vulnerable to attack. This vulnerability has been identified as CVE-2016-2060 which exists in a software package maintained by Qualcomm and if exploited, can grant the attacker access to the victim's SMS database, phone history, and more. As this is an open source software package, it affects a variety of projects that use the said APIs, including Cyanogenmod.

The CVE-2016-2060 vulnerability, as Mandiant puts it, is the lack of input sanitisation of the "interface" parameter of the "netd" daemon, which is part of the Android Open Source Project (AOSP). This was part of some new APIs that Qualcomm introduced some years ago to allow additional tethering capabilities, among other features. In order to exploit this code, the attacker would either need access to your unlocked device or execute the attack via a malicious application. The alarming part is that since this API is very frequently accessed by most of the apps on your phone, it's tough for the Android subsystem to differentiate between requests from a regular app versus a malicious one. In fact, neither Google Play nor any of your anti-virus programs are likely to flag this intrusion.

The report states that it's possible that hundreds of models, meaning millions of devices, are affected across the last five years, across Android versions ranging from Lollipop to Ice Cream Sandwich. Qualcomm has addressed this issue by patching the "netd" daemon and in March alerted all of its OEMs too. I's now up to the OEMs to issue an update to its devices but given the diversity and range of products, there is a chance that many might not be updated. Google has also officially acknowledged this vulnerability after publishing the May edition of the Android Security Bulletin.

"Enabling robust security and privacy is a top priority for Qualcomm Technologies, Inc," Qualcomm told Gadgets 360 in an emailed statement. "Recently, we worked with Mandiant, a FireEye company, to address the vulnerability (CVE-2016-2060) that may affect Android-based devices powered by certain Snapdragon processors. We are not aware of any exploitation of this vulnerability. We have made security updates available to our customers to address this vulnerability."

Mandiant further states that older devices are more vulnerable as the attacker can extract SMS database, phone call database, access the Internet or any other activities allowed by the user. Newer devices are less affected since Android 4.4 KitKat introduced Security Enhancements for Android (SEAndroid), which supress this exploit to an extent. Currently, this vulnerability is not being actively exploited but it is of concern as even Google has tagged its severity as 'High'.

This is not the first time critical vulnerabilities have been discovered as potential threats in the world on Android. Just last month, Google acknowledged the CVE-2015-1805 vulnerability which was actively being exploited by an app in the Play Store. Prior to that Stagefright vulnerability , which affected millions of Android devices.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Roydon Cerejo writes about smartphones and laptops for Gadgets 360, out of Mumbai. He is the Deputy Editor (Reviews) at Gadgets 360. He has frequently written about the smartphone and PC industry and also has an interest in photography. With over a decade of experience covering the consumer technology space, he is also an avid sci-fi movie and TV show geek and is always up for good horror flick. Roydon is available at roydon@gadgets360.com, so please send in your leads and tips. More
Gadgets 360 Has a Brand New Podcast
Nintendo NX to Use Cartridges Instead of Discs: Report

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com