Millions of Android devices using Qualcomm technology are vulnerable to a critical security flaw that dates back to 2011. The bug can potentially be exploited by hackers to view a victim's text messages and phone history. According to FireEye, the security vendor that discovered the bug, it is likely that many of the affected devices will never be patched. Here are the details.
Image: Family O'Abé
The vulnerability originates from an open source software package maintained by Qualcomm that provided new APIs for a range of features. The bug has been confirmed on devices running Android 4.0.3 (Ice Cream Sandwich MR1) to Android 5.0 (Lollipop). Given how many Android devices use Qualcomm chips or code, the issue could affect hundreds of models of mobile phones released in the last five years.
The open source nature of the software package in question mean the effects of the security flaw could impact many more devices. For example, Cyanogenmod, which is an independent distribution of Android, also uses the Qualcomm package.
According to FireEye's research team:
"This vulnerability allows a seemingly benign application to access sensitive user data including SMS and call history and the ability to perform potentially sensitive actions such as changing system settings or disabling the lock screen."
Qualcomm has reached out to its mobile device manufacturer customers and informed them of the bug. It is now up to these manufacturers to issue patches for their devices. However, FireEye stated that many devices will likely never be patched, possibly because they are too old. Google has issued a patch in its May 2016 Android Security Bulletin.
Newer Android devices that uses Security Enhancements for Android (SEAndroid) are still affected but to a lesser extent.
You can read a detailed analysis on how this critical vulnerability works over at the FireEye Security Blog.