Software Integrity Blog


Improper input flaw affects most Android phones

On Thursday security researchers disclosed that a Qualcomm flaw that may expose users’ text messages, call histories, and possibly other sensitive data.

In a blog from FireEye the company’s Mandiant Red Team detected CVE-2016-2060 which leverages CWE-20 (Improper Input Validation). CodeAurora “the netd service does not properly validate the interface name when a new upstream interface is added. This invalid name is then susceptible to be used as an argument in subsequent system commands.” “Netd” is something that Qualcomm modified years ago to provide additional tethering capabilities. A malicious user could execute commands as the “radio” system user.

Basically it allows low-privileged apps from Google Play to access sensitive data that’s supposed to be off-limits on a phone running Android. Devices running Android 4.3 (“Jelly Bean MR2”) or older are the most affected by the vulnerability although newer devices are affected but to a lesser extent.

“CVE-2016-2060 has been present on devices since at least 2011 and likely affects hundreds of Android models around the world,” FireEye researchers wrote. “This vulnerability allows a seemingly benign application to access sensitive user data including SMS and call history and the ability to perform potentially sensitive actions such as changing system settings or disabling the lock screen. Devices running Android 4.3 (“Jelly Bean MR2”) or older are the most affected by the vulnerability, and are likely to remain unpatched. Newer devices utilizing SEAndroid are still affected, but to a lesser extent.”

Google patched the Android vulnerability on May 1. However many Android users do not receive all updates from Google as carriers and handset makers are slow to push these updates out to end-users and end-users are also slow to install the updates when offered.


More by this author