Android security bug threatens millions of devices

Security researchers have uncovered a bug in Google Android devices that could leave potentially millions of smartphone and tablets manufactured over the last five years open to attack.

FireEye’s Mandiant security research team discovered the exploit last December but went public with its findings for the first time today.

The vulnerability exists in Qualcomm code which has been available in open source repositories for use on various iterations of Android devices since as far back as 2011.

An attacker could exploit a bug in the Qualcomm tethering controller to gain access to Google’s “radio” user, which has enough privileges to the Android operating system to get access to a device owner’s SMS and call records.

Attackers would need either physical access to an unlocked device, or they would need to convince a user to install a malicious application to exploit the bug.

Qualcomm issued a patch for the "netd" daemon in which the flaw resides earlier this year, and Google followed suit last month.

However, since the vulnerable APIs have been available in git repositories since 2011, patching all affected devices will be a tough, if not impossible, task.

Mandiant research senior security consultant Jake Valletta told iTnews he was reluctant to quantify how many Android-based devices the bug affected but expected it would be in the millions.

“I would probably peg this in the millions. It affects a lot of phones that we were able to test doing the research ourselves," Valletta said.

“At some point over the last four years those devices were vulnerable. Whether they’ve been patched now, I can’t say. I would say that there is probably a large portion of devices on the market that are vulnerable."

Only newer Google Android devices are likely to be patched given device manufacturers and carriers charged with providing software updates for the phones have a tendency to ignore older devices using more dated versions of the Android operating software.

In Australia, telco carriers are the main conduit for Android device software updates but have had a habit of passing the buck to manufacturers when confronted about newly discovered vulnerabilities.

In the case of the latest bug, Valletta said Qualcomm had been highly responsive to FireEye and worked conscientiously to a tight timeframe to patch its software and notify manufacturers.

However, he’s not so confident when it comes to manufacturers and carriers cooperating to provide security patches.

“What we notice is that the carriers are going to patch their most popular and current models while the others might not see security fixes so they remain vulnerable,” he said.