Duo Labs researchers found 60 percent of enterprise Android phones are affected by a vulnerability that could allow an attacker to remotely run any code in Qualcomm Secure Execution Environment (QSEE).
The January 2016 monthly security update is the only patch available for phones with the affected software and only 25 percent of the Qualcomm-based phones seen by Duo Labs have applied that update, company Senior Research and Development Engineer Kyle Lady said in a blog post.
To make matters worse, 27 percent of Android phones are too old to receive the monthly updates and will remain permanently vulnerable, according to the post.
“If an attacker can get a user to run a malicious app on an affected Android device, the attacker can gain complete control over the entire device by exploiting this QSEE vulnerability,” Lady said in the post.
The vulnerability (CVE-2015-6639) exists in the special secure operating system that runs on the QSEE, Lady told SCMagazine.com via emailed comments.
“Essentially, an attacker ‘leapfrogs' into the QSEE via a vulnerability in a less-trusted application,” he said. “It assumes that the attacker has a vulnerability in Android's ‘mediaserver', which is a reasonable assumption, given that there are vulnerabilities in mediaserver announced nearly every month.”
Lady said once attackers have control of the mediaserver, they can access the QSEE via a vulnerability in one of QSEE's "secure" apps.
He recommended users update their phones to the newest version possible, use Nexus series phones to avoid waiting for manufacturers and carriers to distribute updates, and avoid installing unneeded applications.