A recent flaw found in Qualcomm chips put users at risk. The vulnerability makes it possible for malicious attackers to steal user text messages and call history. “Recent” is relatively speaking, since the flaw was found by researchers from FireEye and patched by Qualcomm in March. But since the vulnerability was first accidentally introduced five years ago, there are still lots of devices affected because they lose manufacturer support as time goes on.
The flaw, called CVE-2016-2060 is found on a component of Android devices called “netd“. Qualcomm first adjusted this component in order to give users more tethering capabilities. However, malicious apps can exploit the flaw in order to execute commands as the radio system user.
A security advisory released by the Qualcomm Innovation Center says the flaw affects all Android Jelly Bean, KitKat and Lollipop devices. Google included CVE-2016-2060 in its May Android Security Bulletin which was published today. The flaw is rated “high severity” because “it can be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.”