If left unaddressed, a recently patched Android vulnerability affecting Google and Motorola Mobility's Nexus 6 and Nexus 6P phablets can allow attackers to invade device owners' privacy and steal their information, according to an analysis report by IBM's X-Force Application Security Research Team.
In a recent blog post and corresponding report, IBM X-Force reported that adversaries can exploit the high-severity flaw, officially designated CVE-2017-8467, by first using PC malware or malicious chargers to reboot the device and then implementing a special “boot mode” configuration that causes the Android OS to turn on multiple extra USB interfaces. These interfaces, especially the "modem diagnostics" interface, give attackers access to powerful functionalities that essentially let them take over the Nexus 6 modem.
The reboot process is made possible by leveraging a debugging tool called Android Debug Bridge (ADB), which is also used by developers for sideloading Android application packages. Controlling the modem allows bad actors to intercept or place phone calls, sniff mobile data packets, steal call information and determine a device's exact GPS coordinates with detailed satellite information, IBM reported.
The 6P model phone isn't quite as vulnerable because it comes with its modem diagnostics disabled in the firmware. However, there are other available USB interfaces that allow attackers to send or spy on SMS messages and possibly bypass two-factor authentication, the report explains.
IBM X-Force also warned that attackers can use an ADB-authorized PC to open a connected ADB session on the 6P device and subsequently install malware. Google patched the Android flaw, classified as both a denial of service error and an elevation of privilege vulnerability in the bootloader, in its January update. According to Google, the DoS component of the flaw "could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device."
UPDATE 1/13: The IBM X-Force Application Security Research Team also found a privilege vulnerability in the bootloader of OnePlus 3 phones running on the customized Android operating system OxygenOS 4.0.1 and below. According to a Jan. 11 X-Force Exchange platform entry, attacker with direct access to the device or remote access via an ADB connection can reboot the phone and change the SELinux Linux kernel security module settings on devices, allowing the possibility of additional exploitation. IBM researcher Roee Hay is credited with discovering the vulnerability. A Jan. 12 report by XDA developers states that OnePlus has assured an upcoming fix. XDA has reported that OnePlus 3T phones are also affected by the flaw, although these models were not specifically cited in the X-Force Exchange platform entry.