The serious flaw, assigned tag CVE-2016-2060, was discovered by security firm FireEye. It found that Android apps can access hardware features they aren’t supposed to by using permissions assigned to other apps in the Google Play Store. The bug could be exploited by attackers if they gained physical access to a device or got a user to install a malicious app.
The vulnerability lies in a software package provided by chip manufacturer Qualcomm. When exploited, it permits an app to access a phone’s cellular radio, even if the user hasn’t granted it the required permissions. This could allow it to read a user’s call history and SMS messages. An attacker could also change system settings to further weaken a device’s security.
Throughout the process, there is no indication to the user that an app is accessing their data. A malicious application could exploit the bug without triggering any alerts and Google Play would not flag the malware as malicious. With antivirus software unaware of this kind of threat, it would be almost impossible for the user to realise that something is wrong.
The effects of a successful exploit are limited on newer devices by Android’s SELinux security feature. An attacker could still access some user data but would be unable to change system properties or interact with the core of the Android operating system.
“CVE-2016-2060 has been present on devices since at least 2011 and likely affects hundreds of Android models around the world,” said FireEye. “This vulnerability allows a seemingly benign application to access sensitive user data including SMS and call history and the ability to perform potentially sensitive actions such as changing system settings or disabling the lock screen. Devices running Android 4.3 (“Jellybean MR2”) or older are the most affected by the vulnerability, and are likely to remain unpatched. Newer devices utilizing SEAndroid are still affected, but to a lesser extent.”
FireEye said “there is no solid answer” on how many devices have been affected. Hundreds of distinct models manufactured in the past five years will include the bug. It is present in Android versions ranging from 4.0.3 Ice Cream Sandwich to 5.0 Lollipop.
FireEye contacted Qualcomm upon discovering the vulnerability. Qualcomm was “extremely responsive” to the issue report and set itself a 90-day deadline to fix the problem. The patch was completed on time and issued to all hardware manufacturers in March.
It will now be up to individual manufacturers to roll the update out to customers. As with so many security fixes before, this means many phones will never receive the update and more will wait months before seeing it. The fragmented nature of Android makes it difficult to roll out every update to every phone, leaving users exposed to security threats like this.