SNAPDRAGON-POWERED ANDROID SMARTPHONES are at risk from a "undetectable" Qualcomm software flaw that has left users' text messages and call histories open to hackers.
The flaw in question is CVE-2016-2060, and is described by FireEye offshoot Mandiant as a lack of input sanitization of the "interface" parameter of the "netd" daemon that is part of the Android Open Source Project (AOSP).
When Qualcomm introduced new APIs as part of the Android network manager system service, vulnerable phones were then connected to the "netd" daemon, which allowed an attacker to potentially perform tasks such as viewing a users' SMS database and phone history.
Those most at risk are the 34 per cent of Android users running versions 4.3 and earlier, as they lack a feature called Security Enhancements for Android (SEAndroid) and likely will remain unpatched.
The researchers note that the flaw, which can be exploited by a hacker physically unlocking an unprotected device or by the user installing a malicious application, is largely undetectable.
"Any application could interact with this API without triggering any alerts," Mandiant says. "Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it.
"It's hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong."
It's unclear how many handsets are affected, but the researchers note that it's possible hundred of models have been affected since the flaw was introduced in 2011.
In a statement given to the INQUIRER, a Qualcomm spokesperson said that it hasn't seen any evidence that the vulnerability has been exploited.
"Enabling robust security and privacy is a top priority for Qualcomm Technologies, Inc. Recently, we worked with Mandiant, a FireEye company, to address the vulnerability (CVE-2016-2060) that may affect Android-based devices powered by certain Snapdragon processors.
"We are not aware of any exploitation of this vulnerability. We have made security updates available to our customers to address this vulnerability."
The vulnerability was patched in the Android security patch that Google released on 1 May.
Culled from The INQUIRER