Why most Android devices won't patch the Qualcomm bug

Qualcomm has patched a high-severity flaw, but handset manufacturers' reluctance to update older models means most of them will remain vulnerable

One of the high-severity vulnerabilities referenced in Google's most recent Android Security Bulletin could potentially let attackers access the SMS database and call history on targeted devices.

Researchers from FireEye's Mandiant Red Team discovered the flaw and worked with Qualcomm on the fix. A large number of Android devices are potentially affected, but most devices will likely remain unpatched.

CVE-2016-2060 is a local privilege escalation flaw in the software package maintained by Qualcomm. It was brought into Android in 2011 when Qualcomm contributed an API for the network_manager system service to the Android Open Source Project (AOSP). The flaw has to do with the lack of input sanitization of the "interface" parameter of Android's netd daemon.

A company modifying netd to offer additional tethering capabilities isn't unusual as device manufacturers and other non-AOSP vendors regularly add and modify system services. However, from an attacker's perspective, "new or changed APIs in system services are a prime target," FireEye researchers wrote in its analysis of the vulnerability.

FireEye and Qualcomm sent the software update to OEM partners last month to test and include in their device updates. Google referenced the vulnerability in the Android Security Bulletin as an information disclosure vulnerability in the Qualcomm Tethering Controller (CVE-2016-2060). The fact that Google didn't push out the the patch as part of its Nexus update suggests that none of its Nexus devices are affected by this vulnerability. The patch is also not included in the AOSP repository.

"The patch for this issue is not in AOSP. The update should be contained in the latest drivers of affected devices," Google said in the advisory.

However, Qualcomm's code and chip are widely used by manufacturers, so hundreds of models released over the last five years may be impacted. Open source software projects, such as popular Android fork CyanogenMod, have also used Qualcomm's vulnerable APIs.

Handset makers have to include the patch in their updates, then work with the cellular carriers to actually deliver the software to individual devices. Affected developers must get the latest drivers from device manufacturers to rebuild their projects to include the latest security updates for each supported model.

"This will make it particularly difficult to patch all affected devices, if not impossible," FireEye said.

FireEye researchers have not yet seen this vulnerability being actively exploited. Attackers simply have to trick victims into installing a malicious app on the device in order to trigger the flaw, and the bad news is that this kind of a malicious app likely wouldn't trigger any alerts. The app needs the ACCESS_NETWORK_STATE permission, which is a widely requested privilege, so users won't be able to tell the app is fishy merely by looking at the permissions list.

"Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention did not initially detect it. It's hard to believe that any antivirus would flag this threat," FireEye said.

The malicious app would be able to gain elevated capabilities, such as Signature or SignatureOrSystem privileges, which are typically not accessible to third-party apps, Google said in the Android Security Bulletin. In this case, the app would be able to execute commands as the "radio" user, which means it has access to other system resources, such as Phone and Telephony Providers, and to system settings such as WRITE_SETTINGS_SECURE (change key system settings), BLUETOOTH_ADMIN (discover and pair Bluetooth devices), WRITE_APN_SETTINGS (change APN settings), DISABLE_KEYGUARD (disable lock screen).

The vulnerability was confirmed on Android versions Ice Cream Sandwich MR1 (4.0.3), Jellybean MR2 (4.3), KitKat (4.4), and Lollipop (5.0).

What an attacker would be able to do after successfully exploiting the vulnerability depends on the age of the Android device and how the device maker is using the system property subsystem. On older devices, the malicious app would be able to extract the SMS database and phone call database, access the Internet, and perform any other actions the radio user typically have access to, FireEye said. Newer devices, especially those running Android KitKat and later that utilize Security Enhancements for Android, are not impacted as significantly, since the netd daemon would not have the ability to interact with other radio application data, and has limited filesystem write capabilities, FireEye said. The app would still be able to modify some system properties maintained by the operating system.

While FireEye praised Qualcomm for its speed in fixing the vulnerability, the bottom line is the vast majority of affected Android devices will remain vulnerable so long as handset makers such as HTC, Samsung, and LG (to name a few), continue the current policy of not updating devices that are more than a year or two old. The burden remains on users to either stick with only official app sources or be very careful about the apps they install.

Relying on users is never good strategy, but that's the current state of Android security.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform