Android Qualcomm flaw lets hackers access your texts, call logs, and browsing histories

Faulty Qualcomm code gives hackers key to your text messages and call history

Android

A security flaw affecting hundreds of Android phones using Qualcomm chips potentially lets hackers access a phone's SMS text messages, call log and internet browser.

Security firm FireEye discovered the vulnerability in January, but is only now being reported as Qualcomm has since issued a patch to handset manufacturers.

The security hole, which has been given the designation CVE-2016-2060, is a lack of input sanitisation in the "interface" parametre of the "netd" daemon in Android, FireEye said.

This means an attacker can, in theory, gain access to all of a device's "radio" functions, including its browser, SMS logs and call logs, as well as changing system permissions, such as disabling the lock screen or discovery of and pairing with Bluetooth devices.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

All versions of Android are impacted from Gingerbread (2.3) to Lollipop (5), although devices running Jellybean (4.3) and older are most at risk. This is because they do not include Security Enhancements for Android (SEAndroid), which separates out the "netd" executable and severely limits its interactions with other applications.

"Since this is an open-source software package developed and made freely available by Qualcomm, people are using the code for a variety of projects, including Cyanogenmod (a fork of Android). The vulnerable APIs have been observed in a Git repository from 2011, indicating that someone was using this code at that time. This will make it particularly difficult to patch all affected devices, if not impossible," said FireEye in a blog post.

FireEye praised Qualcomm's response to the issue, stating: "When contacted by FireEye, Qualcomm was extremely responsive throughout the entire process. They fixed the issue within 90 days a window they set, not FireEye. FireEye would like to thank Qualcomm for their cooperation throughout the disclosure and diligence with addressing the issues."

It is now up to the handset manufacturers to roll out patches to their devices.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020