Mandiant’s Red Team discovered widespread malicious vulnerability affecting Android devices

Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history. The vulnerability exists in a software package maintained by Qualcomm that is available from the Code Aurora Forum. It is published as CVE-2016-2060 and security advisory QCIR-2016-00001-1 on the Code Aurora Forum. 

malicious vulnerability, malware, android devices


The report states that it's possible that hundreds of models, meaning millions of devices, are affected across the last five years, across Android versions ranging from Lollipop to Ice Cream Sandwich. Qualcomm has addressed this issue by patching the "netd" daemon and in March alerted all of its OEMs too. I's now up to the OEMs to issue an update to its devices but given the diversity and range of products, there is a chance that many might not be updated. Google has also officially acknowledged this vulnerability after publishing the May edition of the Android Security Bulletin.

Read: McAfee Labs Report Finds Only 42 Percent of Surveyed Cybersecurity Professionals Use Shared Threat Intelligence

There are two ways to exploit this vulnerability, though this does not account for a determined attacker who possesses additional vulnerabilities. The first is to have physical access to an unlocked device, and the second is to have a user install a malicious application on the device.

On older devices, the malicious application can extract the SMS database and phone call database, access the Internet, and perform any other capabilities allowed by the "radio" user. Some examples of potential capabilities of the "radio" user are presented in the blog itself, though it was difficult for all of these to be tested.

Newer devices are affected less. The malicious application can modify additional system properties maintained by the operating system. The impact here depends entirely on how the OEM is using the system property subsystem.

The vulnerability seems to affect all Android devices with Qualcomm chips and/or Qualcomm code. Since many -- flagship and non-flagship -- devices use these, it's possible that the bug could have widespread reach and could have affected hundreds of devices in the last five years.

Qualcomm on its part addressed the issue by releasing a software patch in early March 2016. "The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched," said the report. 

No comments:

Post a Comment