Story image

'The Red Team' discovers widespread Android vulnerability

09 May 16

A new, widespread Android vulnerability has been identified by FireEye and Mandiant, the consultancy arm of the company.

According to a new report, Mandiant’s Red Team discovered the vulnerability permits local privilege escalation to the built-in user ‘radio’, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history. 

According to the Red Team, the vulnerability was introduced when Qualcomm provided new APIs as part of the 'network_manager' system service, and subsequently the 'netd' daemon, that allow additional tethering capabilities, possibly among other things.

Since many flagship and non-flagship devices use Qualcomm chips and/or Qualcomm code, it is possible that hundreds of models are affected across the last five years, the team says.

Qualcomm has addressed the issue by patching the 'netd' daemon. Qualcomm notified their customers (all of the OEMs) in early March 2016. The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched, the Red Team says.

There are two ways to exploit this vulnerability, though this does not account for a determined attacker who possesses additional vulnerabilities. The first is to have physical access to an unlocked device, and the second is to have a user install a malicious application on the device.

On older devices, the malicious application can extract the SMS database and phone call database, access the internet, and perform any other capabilities allowed by the 'radio' user. Some examples of potential capabilities of the 'radio' user are presented in the blog itself, though it was difficult for all of these to be tested, according to the report.

The impact of the vulnerability depends entirely on how the OEM is using the system property subsystem, the Red Team says. It should be noted that once the vulnerability is exploited, there is no indication to the user that something has happened. For example, there is no performance impact or risk of crashing the device.

Since this is an open-source software package developed and made freely available by Qualcomm, people are using the code for a variety of projects, including Cyanogenmod (a fork of Android). The vulnerable APIs have been observed in a Git repository from 2011, indicating that someone was using this code at that time. This will make it particularly difficult to patch all affected devices, if not impossible, the Red Hat team concludes.

Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.