Issue affects the vast majority of Android users

May 5, 2016 21:05 GMT  ·  By

Security researchers from FireEye's Mandiant division have uncovered a five-year-old vulnerability that affects around 73.1 percent of the entire Android userbase.

Google categorized the issue as an "Information Disclosure Vulnerability in [the] Qualcomm Tethering Controller," and the company has recently patched it in the Android Security Bulletin for the month of May.

Identified in the Mitre vulnerability database by the CVE-2016-2060 ID, the issue affects all devices running Android 5.0 Lollipop and earlier, which means about three out of four Android handsets.

Attackers could steal SMS and phone call records

According to Mandiant's team, the vulnerability is found in a set of APIs Qualcomm added with the network_manager system service, included in the netd Android daemon.

If a hacker wants to exploit CVE-2016-2060, they would only need to create an app that requests the ACCESS_NETWORK_STATE permission from the device.

The app could leverage loopholes in the Qualcomm APIs to escalate its privileges to Android's built-in "radio" user. This user has the ability to query SMS records, call history, and even use the Internet connection.

Attack is invisible to users, Google

Mandiant says that newer Android OS versions are less affected because of security measures put in place by Google, and because of how different OEMs have implemented their own and Qualcomm's APIs.

A successful exploitation is also very hard to detect, the Mandiant team claims. Researchers say there's no performance impact, and during their tests, the app or the device did not crash.

"Any application could interact with this API without triggering any alerts. Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it," FireEye's Jake Valletta explains. "It’s hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong."

Mandiant reached out to Qualcomm in January, and by March, the hardware and software maker had already sent out patches to Google and other Android OEMs.