Security bug could expose Android phones to hackers
(CBS News) – Security researchers are warning that a software bug could leave many Android phones vulnerable to hackers’ attacks. Security firm FireEye wrote in a blog post Thursday that a flaw in a software package from Qualcomm could give hackers access to everything from call histories to text messages. Older versions of Android, 4.3 and earlier, are reportedly more vulnerable than newer versions.
The bug, called CVE-2016-2060, was made possible when Qualcomm, a mobile chipmaker, provided new APIs to developers that were part of system service “network_manager.” The APIs were later part of another system service, “netd” daemon.
FireEye says Qualcomm has issued a patch to fix the bug.
To access a phone’s data through this flaw, an attacker would either have to have physical access to an unlocked Android device or the ability to install a malicious app on the phone.
FireEye reports that such malware could interact with the flawed API without setting off any security alerts.
“Google Play will likely not flag it as malicious,” the firm wrote. “It’s hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn’t tip the user off that something is wrong.”
How many devices were at risk? The security firm said there is no definitive answer.
“Since many flagship and non-flagship devices use Qualcomm chips and/or Qualcomm code, it is possible that hundreds of models are affected across the last five years,” the firm wrote.
For its part, Qualcomm has said it has “patched” the “netd” daemon and also notified customers in March about the security flaw. FireEye wrote that, despite this, “many devices will likely never be patched.”