Five-Year-Old Qualcomm Vulnerability Affects Devices Running Android 4.0.3 And Later

News
By Lucian Armasu
published

A Qualcomm networking vulnerability has existed in many Android devices for the past five years, affecting devices running Android 4.0.3 and later. The flaw is less damaging for devices running Android 4.4 or newer, which have SELinux enabled by default.

This vulnerability was introduced by Qualcomm when it provided new APIs as part of the "network_manager" system service and the "netd" daemon that allowed additional tethering capabilities, among other things.

FireEye contacted Qualcomm in January about the discovery of this vulnerability. According to the company, Qualcomm was highly cooperative and took it upon itself to patch its netd daemon within 90 days. Qualcomm released the patch to carriers, and it was also included in the May security update for Android.

However, it’s now up to manufacturers and wireless carriers to provide this patch to the hundreds of millions of devices that are likely affected by this flaw. Considering most Android devices aren’t updated past the one-year or year-and-a-half mark, chances are most of the devices affected by this bug will continue to remain vulnerable to exploitation.

The vulnerability could be used by an attacker through a malicious app that would first need to be installed by the user. However, the user may have no idea that the app is malicious, because it won’t trigger any alerts either in Google’s own anti-malware service or in most other antivirus software. That’s because those networking APIs are used by many other well-behaved apps, as well. It also won’t cause any crashes or performance issues.

The malicious applications can extract SMS and phone call databases, it can access the internet, and it can perform any other capabilities allowed by the “radio” user. The application can also further modify additional system properties, but that depends on the manufacturers’ own implementation of the system properties subsystem.

Devices running Android 4.4 or newer, which have SELinux enabled by default, are less impacted by the vulnerability because the netd context is more limited in how it interacts with applications and the file system.

FireEye hasn’t seen exploitation of this vulnerability in the wild yet, but it’s not unlikely to see attackers use it in the future.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
9 Comments Comment from the forums
  • gggplaya
    So basically, time to buy a new phone because there's a fat chance your phone will be patched.
    Reply
  • targetdrone
    100s of millions of phones that will never ever get fixed because OEMs and Carriers stop support after 12 months(if that)

    Now apply this stupid software support life cycle to "Smart Cars"
    Reply
  • jkhoward
    100s of millions of phones that will never ever get fixed because OEMs and Carriers stop support after 12 months(if that)

    Now apply this stupid software support life cycle to "Smart Cars"

    And this is why I buy Apple. At least they keep their products update for better or worse. Yeah it may slow it down, but at least its patched.
    Reply
  • sh4dow83
    Well... My Nexus 4 is already considered pretty old, yet the last official version is Lollipop and I'm running Marshmallow.

    So... How old do phones have to be to not even support 4.4? Is e.g. the Nexus One affected, considering that it was released 6 years ago but uses a Qualcomm chip?
    Reply
  • ravinmachine
    Or you can install Cyanogen mod and have android 6.0.1. I have it installed on my wife's Samsung Galaxy S3. A phone the telecoms stopped patching at android 4.4.4. And it works better now, even freed up about 4gb of space.
    Reply
  • ravinmachine
    Or you can install Cyanogen mod and have android 6.0.1. I have it installed on my wife's Samsung Galaxy S3. A phone the telecoms stopped patching at android 4.4.4. And it works better now, even freed up about 4gb of space.
    Reply
  • mrmez
    Yeah, but at least I'm not getting ripped off by Apple.
    Amirite???
    Reply
  • house70
    17927045 said:
    Well... My Nexus 4 is already considered pretty old, yet the last official version is Lollipop and I'm running Marshmallow.

    So... How old do phones have to be to not even support 4.4? Is e.g. the Nexus One affected, considering that it was released 6 years ago but uses a Qualcomm chip?

    Nexus One capped at 2.3.7, if I recall. Not many phones out there that still run 4.0.3. At that age, hardware becomes an issue way before software shows it's glitches.
    Reply
  • jkhoward
    17927856 said:
    Yeah, but at least I'm not getting ripped off by Apple.
    Amirite???

    Apple doesn't rip you off with their mobile devices. A flagship phone from any company is right around the same cost as an iPhone.
    Reply