Android devices are vulnerable to attack owing to a newly discovered bug that permits local privilege escalation to the device's “radio,” according to FireEye.
The flaw could enable attackers to get a look at a victim's SMS database and phone history – without any performance impact, so users are unaware of the intrusion.The flaw affects older devices more than newer versions.
Mandiant's Red Team discovered the vulnerability in a software package maintained by Qualcomm.
The defect debuted when Qualcomm, as part of its "network_manager" system service, delivered new APIs to extend tethering options.
It's possible that hundreds of models are at risk as Qualcomm chips and code are widely used on Android devices and the code has been circulating for five years.
Qualcomm has issued patches and alerted customers, but as OEMs must provide updates, many devices are likely not going to be patched.