Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Critical Vulnerability Plagues 60% of Android Devices

A Critical Elevation of Privilege (EoP) vulnerability in the Qualcomm Secure Execution Environment (QSEE) affects around 60 percent of all Android devices around the world, despite being already fixed, researchers warn. 

A Critical Elevation of Privilege (EoP) vulnerability in the Qualcomm Secure Execution Environment (QSEE) affects around 60 percent of all Android devices around the world, despite being already fixed, researchers warn. 

The culprit is an EoP flaw in the Widevine QSEE TrustZone application, namely CVE-2015-6639, which was resolved in January when Google issued patches for 12 security flaws in Android. The bug could enable a compromised, privileged application with access to QSEECOM to execute arbitrary code in the Trustzone context.

A short explanation of how the bug works would be the following: QSEECOM is a Linux kernel device that allows regular user-space processes such as the mediaserver (which runs in the normal operating system, or “Normal World”) to communicate with trusted applications (or trustlets) in a secure OS that manages protected services and hardware (which is called “Secure World”). Thus, malicious code running in the Normal World can call trustlets and exploit vulnerabilities in them to compromise the device. 

The TrustZone kernel operates within the Secure World, while QSEECOM within the Normal World, but both are part of the Kernel Mode. In this specific case, an attacker able to run malicious code in mediaserver can exploit an application running in the Secure World (Widevine’s DRM software) to gain full control over the affected device by modifying the Normal World’s Linux kernel.

Gal Beniamini explained in a recent blog post that QSEE is extremely privileged, which allows it to interact directly with the TrustZone kernel and access the hardware-secured TrustZone file-system (SFS). Moreover, it has direct access to the system’s memory, which allows an attacker to hijack the Linux Kernel without having to find and exploit a Kernel vulnerability.

However, the attacker would still have to exploit a vulnerability in mediaserver, and those are not in short supply, that’s for sure. Starting with mid-2015, when the Stagefright vulnerability was initially disclosed, Google has been patching bugs in mediaserver monthly, and the May 2016 security update for Nexus devices included such a patch as well.

The issue, discovered last year by Gal Beniamini, affects 75 percent of all Android devices powered by a Qualcomm processor, security firm Duo Security claims. According to Duo, around 80 percent of all Android devices have a Qualcomm processor inside, but just 25 percent of users have applied the patch, meaning that 60 percent of devices continue to be vulnerable.

While eligible devices already received the January 2016 security update, there are millions of them that haven’t. With this patch being the only fix for the vulnerability, manufacturers need to apply it to their devices and send it to carriers, while carriers need to approve and deploy it. However, the process is slow and older devices are most often left out of this update cycle, meaning that millions of users won’t receive the patch. Ever.

Advertisement. Scroll to continue reading.

According to Duo researchers, an analysis of their dataset of 500,000 enterprise devices revealed that around 27 percent of all Android devices out there remain permanently vulnerable to this bug. To mitigate that, manufacturers and carriers would need to build and approve a patch for the specific Android version the affected devices run under.

In March, researchers at FireEye published the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models. The issue was found in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information.

Also in March, Google released an emergency security patch for Android devices in an attempt to resolve a local elevation of privilege vulnerability in the kernel, after researchers discovered that the flaw was already being abused by rooting applications.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.