A Qualcomm networking vulnerability has existed in many Android devices for the past five years, affecting devices running Android 4.0.3 and later. The flaw is less damaging for devices running Android 4.4 or newer, which have SELinux enabled by default.
This vulnerability was introduced by Qualcomm when it provided new APIs as part of the "network_manager" system service and the "netd" daemon that allowed additional tethering capabilities, among other things.
FireEye contacted Qualcomm in January about the discovery of this vulnerability. According to the company, Qualcomm was highly cooperative and took it upon itself to patch its netd daemon within 90 days. Qualcomm released the patch to carriers, and it was also included in the May security update for Android.
However, it’s now up to manufacturers and wireless carriers to provide this patch to the hundreds of millions of devices that are likely affected by this flaw. Considering most Android devices aren’t updated past the one-year or year-and-a-half mark, chances are most of the devices affected by this bug will continue to remain vulnerable to exploitation.
The vulnerability could be used by an attacker through a malicious app that would first need to be installed by the user. However, the user may have no idea that the app is malicious, because it won’t trigger any alerts either in Google’s own anti-malware service or in most other antivirus software. That’s because those networking APIs are used by many other well-behaved apps, as well. It also won’t cause any crashes or performance issues.
The malicious applications can extract SMS and phone call databases, it can access the internet, and it can perform any other capabilities allowed by the “radio” user. The application can also further modify additional system properties, but that depends on the manufacturers’ own implementation of the system properties subsystem.
Devices running Android 4.4 or newer, which have SELinux enabled by default, are less impacted by the vulnerability because the netd context is more limited in how it interacts with applications and the file system.
FireEye hasn’t seen exploitation of this vulnerability in the wild yet, but it’s not unlikely to see attackers use it in the future.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.