Google announced this week that it released an Android update to patch shedloads of vulnerabilities, but the advisory mentioned an information disclosure vulnerability in the Qualcomm tethering controller (CVE-2016-2060) that allows a malicious application to access user information.
FireEye said that this vulnerablity is “high severity,” but Google noted that it does not affect Nexus devices. The patch for the issue is not in the Android Open Source Project (AOSP) repository but might make it in the latest driver updates for affected devices.
The security outfit said that researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March, when it started reaching out to OEMs to let them know about the issue. Now it’s up to the device manufacturers to push out the patch to customers. So probably a long time then.
The flaw exists in an open source software package maintained by Qualcomm and is related to the Android network daemon (netd).
“The vulnerability was introduced when Qualcomm provided new APIs as part of the ‘network_manager’ system service, and subsequently the ‘netd’ daemon, that allow additional tethering capabilities, possibly among other things,” FireEye said.
The flaw has been confirmed to affect devices running Android 5.0 Lollipop and earlier, which currently account for roughly three-quarters of Android devices. Researchers noted that the affected Qualcomm software package is used in a variety of projects, including the popular CyanogenMod, and the vulnerable APIs appear to have been around since at least 2011.
The vulnerability can be exploited to escalate privileges to the built-in “radio” user, which has permissions that are normally not available to a third-party app. The most efficient way to exploit CVE-2016-2060 is via a malicious application that is granted the “ACCESS_NETWORK_STATE” permission.