Qualcomm security flaw impacts Android devices, project APIs

The issue can result in information leaks and local privilege escalation -- and it may be impossible to patch all vulnerable devices.

A security flaw affecting Android devices using Qualcomm chips leading to information disclosure and device manipulation has been revealed by researchers.

The vulnerability in question is CVE-2016- 2060, a lack of input sanitization of the "interface" parameter of the "netd" daemon, used as part of the Android Open Source Project (AOSP).

When Qualcomm, a provider of chips and code used in Android devices, introduced new APIs as part of the Android network manager system service, vulnerable phones were then connected to the "netd" daemon.

The daemon gave smartphones heightened networking capabilities, including additional tethering capabilities -- but also, unfortunately, introduced this vulnerability to the Android operating system.

Attackers must either have physical access to a device or have a user install a malicious application onto the device, likely through a fake download, phishing campaign or a malicious app which has slipped through the Google Play security net to exploit the flaw in the daemon's API.

"Any application could interact with this API without triggering any alerts," FireEye says. "Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it. It's hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong."

It is also difficult for users to notice their devices are infected as there are no performance changes or crashes.

If exploited, the malicious app can siphon away the SMS database and phone call data from older devices, access the web and perform other capabilities allowed through the API. Newer devices, however, are hurt in a less severe way by this flaw.

Although it depends on the vendor's property subsystem settings, most new devices will only grant the malicious app access to change some system properties maintained by the operating system rather than steal data.

There is no real answer to how many devices may be vulnerable although FireEye says it is possible "hundreds of models" of mobile devices produced in the last five years using Qualcomm chips and code could be harboring the security flaw.

In other words, countless users could be vulnerable to attack, but FireEye's Mandiant Red Team says that usage of the vulnerable API has been monitored and there is no evidence to suggest the vulnerability is being exploited in the wild.

FireEye reached out to Qualcomm in January 2016 and has worked with the team since to fix the problem. The US chip maker has resolved the issue in part by patching the "netd" daemon, but it is now up to OEMs to provide updates for their devices. However, there is a problem.

FireEye says:

"Since this is an open-source software package developed and made freely available by Qualcomm, people are using the code for a variety of projects, including Cyanogenmod (a fork of Android). The vulnerable APIs have been observed in a Git repository from 2011, indicating that someone was using this code at that time. This will make it particularly difficult to patch all affected devices, if not impossible.
The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched."

Read on: Top picks