Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

60 percent of enterprise Android phones prone to QSEE vulnerability


Duo Labs researchers found 60 percent of enterprise Android phones are affected by a vulnerability that could allow an attacker to remotely run any code in Qualcomm Secure Execution Environment (QSEE).

The January 2016 monthly security update is the only patch available for phones with the affected software and only 25 percent of the Qualcomm-based phones seen by Duo Labs have applied that update, company Senior Research and Development Engineer Kyle Lady said in a blog post.

To make matters worse, 27 percent of Android phones are too old to receive the monthly updates and will remain permanently vulnerable, according to the post.

“If an attacker can get a user to run a malicious app on an affected Android device, the attacker can gain complete control over the entire device by exploiting this QSEE vulnerability,” Lady said in the post.

The vulnerability (CVE-2015-6639) exists in the special secure operating system that runs on the QSEE, Lady told via emailed comments.

“Essentially, an attacker ‘leapfrogs' into the QSEE via a vulnerability in a less-trusted application,” he said. “It assumes that the attacker has a vulnerability in Android's ‘mediaserver', which is a reasonable assumption, given that there are vulnerabilities in mediaserver announced nearly every month.”

Lady said once attackers have control of the mediaserver, they can access the QSEE via a vulnerability in one of QSEE's "secure" apps.

He recommended users update their phones to the newest version possible, use Nexus series phones to avoid waiting for manufacturers and carriers to distribute updates, and avoid installing unneeded applications. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.