Android Qualcomm flaw lets hackers access your texts, call logs, and browsing histories
Faulty Qualcomm code gives hackers key to your text messages and call history
A security flaw affecting hundreds of Android phones using Qualcomm chips potentially lets hackers access a phone's SMS text messages, call log and internet browser.
Security firm FireEye discovered the vulnerability in January, but is only now being reported as Qualcomm has since issued a patch to handset manufacturers.
The security hole, which has been given the designation CVE-2016-2060, is a lack of input sanitisation in the "interface" parametre of the "netd" daemon in Android, FireEye said.
This means an attacker can, in theory, gain access to all of a device's "radio" functions, including its browser, SMS logs and call logs, as well as changing system permissions, such as disabling the lock screen or discovery of and pairing with Bluetooth devices.
All versions of Android are impacted from Gingerbread (2.3) to Lollipop (5), although devices running Jellybean (4.3) and older are most at risk. This is because they do not include Security Enhancements for Android (SEAndroid), which separates out the "netd" executable and severely limits its interactions with other applications.
"Since this is an open-source software package developed and made freely available by Qualcomm, people are using the code for a variety of projects, including Cyanogenmod (a fork of Android). The vulnerable APIs have been observed in a Git repository from 2011, indicating that someone was using this code at that time. This will make it particularly difficult to patch all affected devices, if not impossible," said FireEye in a blog post.
FireEye praised Qualcomm's response to the issue, stating: "When contacted by FireEye, Qualcomm was extremely responsive throughout the entire process. They fixed the issue within 90 days a window they set, not FireEye. FireEye would like to thank Qualcomm for their cooperation throughout the disclosure and diligence with addressing the issues."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
It is now up to the handset manufacturers to roll out patches to their devices.
Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.
AI security tools promise to supercharge productivity, but experts worry cyber pros could become too reliant
US offers $10 million bounty for information on UnitedHealth hackers
Tycoon 2FA, the popular phishing kit built to bypass Microsoft and Gmail security protections, just got a major upgrade — and it’s now even harder to detect
Most Popular
By Daniel Todd