A new flaw, discovered and disclosed by cyber security company FireEye, has been found to affect Android devices and allow attackers to gain access to the built-in cellular radio.
The privilege escalation exploit would allow information including call and SMS history to be harvested from devices running Android 4.3 Jellybean or earlier via the 'network_manager' daemon or the subsequent 'netd' daemon. This vector also allowed access to anything else running as the radio user which also included the active internet connection.
Devices running Android 4.4 KitKat and later are partially protected given the development and inclusion of 'Security Enhancements for Android'. SEAndroid runs the netd daemon in a context separated from the radio user application data. However, the attack does allow access to and modification of numerous system properties which could lead to devices being further compromised.
Qualcomm patched the netd daemon after being notified by FireEye back in January 2016. With reference to the partnership, FireEye thanked Qualcomm's receptiveness in their threat research blog:
When contacted by FireEye, Qualcomm was extremely responsive throughout the entire process. They fixed the issue within 90 days – a window they set, not FireEye. FireEye would like to thank Qualcomm for their cooperation throughout the disclosure and diligence with addressing the issues.
The exploit itself fell under the radar for years as the APIs used to initiate such an attack have not been not considered malicious by Google Play in addition to FireEye's own Mobile Threat Prevention solution. Furthermore, the permission required to access these APIs has been requested by "millions of applications" which could lead to an overwhelming number of false positives through automated scans.
While FireEye stopped short of estimating the number of impacted devices, they noted that "it is possible that hundreds of models are affected across the last five years." Furthermore, the security firm noted that it would be "particularly difficult to patch all affected devices, if not impossible."
Despite the general notoriety of smartphone manufacturers and carriers in terms of releasing Android updates, it would seem to be a fairly safe bet that devices running anything older than Android 5.0 Lollipop will remain unpatched. According to the most recent Android usage statistics published by Google, nearly 58% of devices that accessed the Google Play store in the week ending May 2 were still running Android 4.x despite a collective reduction of 2.3% compared to the prior month's figures.
Source: FireEye via Ars Technica
29 Comments - Add comment