'Undetectable' Qualcomm code vulnerability lays bare Android users' text messages and call histories

Users running Android 4.3 and earlier most at risk

An "undetectable" software flaw in Qualcomm Snapdragon-powered Android smartphones could lay bare users' text messages and call histories to hackers.

The flaw, CVE-2016-2060, is described by FireEye offshoot Mandiant as a lack of input sanitisation of the "interface" parameter of the "netd" daemon that is part of the Android Open Source Project (AOSP).

When Qualcomm introduced new APIs as part of the Android network manager system service, vulnerable phones were then connected to the "netd" daemon, which enabled an attacker to potentially perform tasks such as viewing a users' SMS database and phone history.

Those most at risk are the 34 per cent of Android users running versions 4.3 and earlier, as they lack a feature called Security Enhancements for Android (SEAndroid) and will likely remain unpatched.

The researchers note that the flaw, which can be exploited by a hacker physically unlocking an unprotected device or by the user installing a malicious application, is largely undetectable.

"Any application could interact with this API without triggering any alerts," Mandiant warns. "Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it.

"It's hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong."

It's unclear how many handsets are affected, but the researchers note that it's possible hundred of models have been affected since the flaw was introduced in 2011.

In a statement given to the INQUIRER, a Qualcomm spokesperson said that it hasn't seen any evidence that the vulnerability has been exploited.

"Enabling robust security and privacy is a top priority for Qualcomm Technologies, Inc. Recently, we worked with Mandiant, a FireEye company, to address the vulnerability (CVE-2016-2060) that may affect Android-based devices powered by certain Snapdragon processors.

"We are not aware of any exploitation of this vulnerability. We have made security updates available to our customers to address this vulnerability."

The vulnerability was patched in the Android security patch that Google released on 1 May.