Qualcomm-Based Android Devices Vulnerable to Attacks – CyanogenMod Also Affected
A serious information disclosure vulnerability in the Qualcomm tethering controller allows hackers to gain access to private user data. Affecting hundreds of thousands of Android devices, the flaw has now been discovered and patched.
Qualcomm API bug exposes Android devices to malicious apps
Android is notorious for its lack of security when compared to other mobile operating systems. Having no control over security updates and being the most used mobile OS, the platform not only attracts more hacker-attention but is also difficult to patch. While sometimes the vulnerabilities that are exploited by hackers are found in Android core, this time it's Qualcomm who is responsible for introducing a serious vulnerability exposing private user data to rogue apps.
Introducing new networking features like tethering for its chips, Qualcomm inadvertently created a way for apps to overstep their own permissions and execute tasks as a "radio" user - system account that is tied to networking functions. With access to network and cell data, this critical vulnerability allows hackers to gain access to private user data. Introduced first in 2011, as part of Android's network_manager system service and netd process, this new API allowed radio user to get access to data it typically shouldn't. The information disclosure vulnerability in the Qualcomm tethering controller, CVE-2016-2060 allows malicious applications to access user information. The capabilities included viewing user's SMS and phone call history.
Who is affected by this Android security vulnerability
Since the API was introduced in 2011, which means Android 2.3 Gingerbread, the vulnerability could have affected millions of Android users. Those on Android 5.0 Lollipop, 4.4 KitKat and 4.3 Jelly Bean are all in the affected zone. While this flaw is specific to Qualcomm's chips, the affected API is used in a variety of projects, including CyanogenMod.
Security researchers have noted that there hasn't been an active use of this exploit. But they also admit that once exploited, there is no way for a user to know about a rogue app having accessed their private data. Qualcomm has now patched the affected parts of the API and Google has also released the patch. But again, there is no way this fix is ever reaching to users of older devices, who are at the highest risk of this exploit.
For those of you on newer devices, please install these security patches as soon as you receive the OTA notifications. Also, stay away from custom ROMs that may have been affected by this API until they make use of the updated APIs.