A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users’ text messages and call history at risk of theft.
The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because they’re no longer supported by their manufacturers.
The vulnerability, which is tracked as CVE-2016-2060, is located on an Android component called “netd” that Qualcomm modified in order to provide additional tethering capabilities. Malicious applications could exploit the flaw in order to execute commands as the “radio” system user, which has special privileges.
Since Qualcomm chips are quite popular with handset manufacturers, the FireEye researchers estimate that hundreds of Android phone models are affected. And since there are over 1.4 billion active Android devices in the world, this likely means that the flaw is present in millions of devices.
According to a security advisory from the Qualcomm Innovation Center, the flaw affects all Android Jelly Bean, KitKat and Lollipop releases.
Submitted by: Arnfried Walbrecht