A critical vulnerability in Android has been made public, and it specifically points to devices that are powered by Qualcomm chipsets. If you realize how ubiquitous Qualcomm has become, this equals to a huge freaking lot of Android devices. The vulnerability allows escalation of privileges to an attacker that gives them access to the device’s SMS database and phone history.
This vulnerability is coded as CVE-2016-2060, which the recent Android Security Bulletin describes as a critical vulnerability in Qualcomm’s Tethering Controller. The vulnerability was introduced when Qualcomm provided a new APIs as part of the “network_manager” system service, and subsequently the “netd” daemon, that allows additional tethering capabilities. Qualcomm has addressed the issue by patching the “netd” daemon. They have notified their customers – which means all of the manufacturers who use Qualcomm chipsets – in early March 2016 to provide updates for their devices.
The vulnerability has also been patched in Google’s recent Android Security Bulletin, but the truth of the matter is this – with the huge number of phones using Qualcomm chipsets and the slow response of OEMs in updating the software of their devices, a lot of smartphones will never get the patch to secure the data they have within from this vulnerability.
Maybe the top tier devices of branded manufacturers will get patched somehow – Nexus devices are surely protected from this. But a lot of the midrange and low end devices are in trouble is ever some malicious hacker takes it upon himself to hack their devices.