The flaw can allow access to sensitive user data including:
- SMS (messaging) history
- Call history
- Your ability to change system settings or disable the lock screen
Users with older phones running Android 4.3 (Jelly Bean MR2) and earlier are most at risk. It is estimated that 34% of users running versions 4.3 and earlier are at risk. A security protection called SEAndroid was introduced in 4.4 which greatly reduced the risks associated with this flaw.
What is required to put these older smartphones at risk?
- Physical access to the phone OR
- The phone being infected with a malicious application
Aside from an unauthorized person having access to personal information, there are no performance changes or crashes associated with this flaw! This means most people will never notice or realize their information is at risk.
How it Happened
Qualcomm, a provider of chips and code used in Android devices, introduced new software as part of the Android network manager system service. Vulnerable phones were connected to the “netd” daemon which gave smartphones heightened networking capabilities including additional tethering capabilities. The elevation of privileges is where the risk comes in and is being used for devious purposes.
What to do about it
- Upgrade your Android version to version 4.4 or higher if possible. To check the Android version number:
- Select "Settings"
- Scroll down and select "About Phone"
- Apply the “netd” patch located here https://www.codeaurora.org/improper-input-validation-tethering-controller-netd-cve-2016-2060-0