Mandiant, a cyber-security firm, has released a report which states that devices running on Qualcomm chips or code written by the chip maker are vulnerable to attack. This vulnerability has been identified as CVE-2016-2060 which exists in a software package maintained by Qualcomm and if exploited, can grant the attacker access to the victim's SMS database, phone history, and more. As this is an open source software package, it affects a variety of projects that use the said APIs, including Cyanogenmod.
The CVE-2016-2060 vulnerability, as Mandiant puts it, is the lack of input sanitisation of the "interface" parameter of the "netd" daemon, which is part of the Android Open Source Project (AOSP). This was part of some new APIs that Qualcomm introduced some years ago to allow additional tethering capabilities, among other features. In order to exploit this code, the attacker would either need access to your unlocked device or execute the attack via a malicious application. The alarming part is that since this API is very frequently accessed by most of the apps on your phone, it's tough for the Android subsystem to differentiate between requests from a regular app versus a malicious one. In fact, neither Google Play nor any of your anti-virus programs are likely to flag this intrusion.
The report states that it's possible that hundreds of models, meaning millions of devices, are affected across the last five years, across Android versions ranging from Lollipop to Ice Cream Sandwich. Qualcomm has addressed this issue by patching the "netd" daemon and in March alerted all of its OEMs too. I's now up to the OEMs to issue an update to its devices but given the diversity and range of products, there is a chance that many might not be updated. Google has also officially acknowledged this vulnerability after publishing the May edition of the Android Security Bulletin.
"Enabling robust security and privacy is a top priority for Qualcomm Technologies, Inc," Qualcomm told Gadgets 360 in an emailed statement. "Recently, we worked with Mandiant, a FireEye company, to address the vulnerability (CVE-2016-2060) that may affect Android-based devices powered by certain Snapdragon processors. We are not aware of any exploitation of this vulnerability. We have made security updates available to our customers to address this vulnerability."
Mandiant further states that older devices are more vulnerable as the attacker can extract SMS database, phone call database, access the Internet or any other activities allowed by the user. Newer devices are less affected since Android 4.4 KitKat introduced Security Enhancements for Android (SEAndroid), which supress this exploit to an extent. Currently, this vulnerability is not being actively exploited but it is of concern as even Google has tagged its severity as 'High'.
This is not the first time critical vulnerabilities have been discovered as potential threats in the world on Android. Just last month, Google acknowledged the CVE-2015-1805 vulnerability which was actively being exploited by an app in the Play Store. Prior to that Stagefright vulnerability , which affected millions of Android devices.