Qualcomm has patched a vulnerability in netd (network_manager), which for the last five years has left devices vulnerable to having their text message or contact databases compromised.
Qualcomm sent OEMs a fix for this problem back in March, but the gap in Android versions on the market means that most users are going to be out of luck.
In a blog post, FireEye says there are two ways to exploit the netd vulnerability, one of them is physical access to an unlocked device. The other, and likely path most attackers would chose, is to use a malicious app.
"Any application could interact with this API without triggering any alerts. Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it. It’s hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong," the blog post explained.
If exploited, the flaw allows an attacker to compromise the SMS and phone call databases, access the Internet, or perform anything allowed by the "radio" user.
Again, once the flaw is exploited, there is no indication to the user that something's gone wrong.
The good news is that newer Android devices are affected less by this vulnerability. However, Android Gingerbread (2.3.x), Ice Cream Sandwich MR1 (4.0.3), Jellybean MR2 (4.3), KitKat (4.4), and Lollipop (5.0) are all vulnerable to some degree. Also, netd is used by the Cyanogenmod project.
Qualcomm sent the fix to OEMs back in March, but that doesn't mean all of the vulnerable Android versions got the patch. On May 1, Google did include the netd patch as part of their security update release, but again, that doesn't mean carriers delivered it.
In fact, older devices are less likely to get fixes, because carriers would rather you bought a new phone.
FireEye's blog has more technical details on the issue, for those who are curious. When the flaw was brought to Qualcomm's attention, they fixed it within 90-days. FireEye says they've detected no active attacks against vulnerable devices.