Bugs in Android API jeopardizes smartphone with Qualcomm chips

The vulnerability has been confirmed on the Android versions from 2011 until Lollipop, has not yet been exploited actively, but it represents a threat to the privacy of users.

Over time, Android has gained the reputation of being the mobile platform less secure. In many cases, the unfair reputation is due to the freedom that lets users and developers, vulnerabilities in other cases have been found within the code of the same operating system, as in the case Stagefright, and how the latter case unearthed the Red Team Mantian. Revealed by FireEye, the vulnerability allows malicious users to escalate privileges.

The exploit is possible because of a bug in the code introduced by Qualcomm and is feasible only on devices that have the chip and the American company using this part of the code. Vulnerable APIs have been integrated in 2011 within the network_manager system service and xinetd process, and allow the user ” radio “, the system account linked to networking functions, to gain access to data in really should not interest him.

Among these SMS and call history, that they have been little to do with the Android device networks. There are certain factors that make it more dangerous vulnerability: the malicious applications can simply use the official Android APIs to exploit the bug, element that leads to a significant additional difficulty in malware detection operations by automated security software.

The same FireEye, who disclosed the news, did not initially detected any malicious access to the device using the proprietary tools. But from the user simply download an application seemingly innocuous asking the rights of access to device networks to become a victim. It is also easy to determine the scope of the vulnerability because of the fragmentation of the various versions of Android.

The offending API were released in 2011, when Gingerbread 2.3 was the last version of the operating system. To date, the vulnerability it was observed on Jelly Bean (4.3), KitKat (4.4) and Lollipop (5.0), and is naturally more dangerous on older devices that do not have integrated the most modern security systems and that are unlikely to be updated by the manufacturer. Qualcomm has already released a security patch last March alerting partners, but not all models of course, they get it.

The good news is that the bug has not yet been actively exploited by fraudsters, although FireEye admits that if a person was a victim of the exploit would not have many chances to find out.