Story image

'The Red Team' discovers widespread Android vulnerability

09 May 2016

A new, widespread Android vulnerability has been identified by FireEye and Mandiant, the consultancy arm of the company.

According to a new report, Mandiant’s Red Team discovered the vulnerability permits local privilege escalation to the built-in user ‘radio’, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history. 

According to the Red Team, the vulnerability was introduced when Qualcomm provided new APIs as part of the 'network_manager' system service, and subsequently the 'netd' daemon, that allow additional tethering capabilities, possibly among other things.

Since many flagship and non-flagship devices use Qualcomm chips and/or Qualcomm code, it is possible that hundreds of models are affected across the last five years, the team says.

Qualcomm has addressed the issue by patching the 'netd' daemon. Qualcomm notified their customers (all of the OEMs) in early March 2016. The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched, the Red Team says.

There are two ways to exploit this vulnerability, though this does not account for a determined attacker who possesses additional vulnerabilities. The first is to have physical access to an unlocked device, and the second is to have a user install a malicious application on the device.

On older devices, the malicious application can extract the SMS database and phone call database, access the internet, and perform any other capabilities allowed by the 'radio' user. Some examples of potential capabilities of the 'radio' user are presented in the blog itself, though it was difficult for all of these to be tested, according to the report.

The impact of the vulnerability depends entirely on how the OEM is using the system property subsystem, the Red Team says. It should be noted that once the vulnerability is exploited, there is no indication to the user that something has happened. For example, there is no performance impact or risk of crashing the device.

Since this is an open-source software package developed and made freely available by Qualcomm, people are using the code for a variety of projects, including Cyanogenmod (a fork of Android). The vulnerable APIs have been observed in a Git repository from 2011, indicating that someone was using this code at that time. This will make it particularly difficult to patch all affected devices, if not impossible, the Red Hat team concludes.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.