Qualcomm security bug exposes system data on Android

Thomas Wellburn
May 5, 2016

A fresh security flaw has been discovered in Android devices which use a Qualcomm chipset (basically the majority), which can expose sensitive system files to potential attackers.

The bug is known to affect devices running operating systems as recent as Android Lollipop and lets malicious applications access system data files. Qualcomm reportedly developed a patch for the bug back in March but failed to release it, as the issue spans multiple forked variants of the Android OS as well. This means even the security heavyweights who use Cyanogen could be impacted.

It stems from an issue found in one of the new Android Application Programming Interfaces (APIs), which specify how software components should interact with the operating system. The bug exploits a specific background process which runs unbeknownst to the user. This can help the application to anonymously steal things such as call history and SMS logs, while also broadcasting this information over the internet without the users permission.

Since it’s the API at fault and the app is interacting with it in a seemingly normal way, it’s likely that virus scanners and the Google Play Store alike will not pick up such applications that are exposing this flaw. Also, as this flaw lies with the Qualcomm chipset itself, it’s up to the smartphone manufacturers to push out patches for the bug, which could seriously fragment the issue across Android smartphones. In layman’s terms, the manufacturers themselves probably don’t know for sure all devices that are affected… And patching those that are will still leave the other offenders vulnerable. Currently, it’s impossible to say exactly which devices are affected.

For more news, visit What Mobile’s dedicated news page.  

About the Author

Share this article