OEMs got the fix in March, but that doesn't mean they pushed it to users Qualcomm has patched a vulnerability in netd (network_manager), which for the last five years has left devices vulnerable to having their text message or contact databases compromised.Qualcomm sent OEMs a fix for this problem back in March, but the gap in Android versions on the market means that most users are going to be out of luck.In a blog post, FireEye says there are two ways to exploit the netd vulnerability, one of them is physical access to an unlocked device. The other, and likely path most attackers would chose, is to use a malicious app.“Any application could interact with this API without triggering any alerts. Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it. It’s hard to believe that any antivirus would flag this threat. Additionally, the permission required to perform this is requested by millions of applications, so it wouldn’t tip the user off that something is wrong,” the blog post explained. If exploited, the flaw allows an attacker to compromise the SMS and phone call databases, access the Internet, or perform anything allowed by the “radio” user.Again, once the flaw is exploited, there is no indication to the user that something’s gone wrong. The good news is that newer Android devices are affected less by this vulnerability. However, Android Gingerbread (2.3.x), Ice Cream Sandwich MR1 (4.0.3), Jellybean MR2 (4.3), KitKat (4.4), and Lollipop (5.0) are all vulnerable to some degree. Also, netd is used by the Cyanogenmod project.Qualcomm sent the fix to OEMs back in March, but that doesn’t mean all of the vulnerable Android versions got the patch. On May 1, Google did include the netd patch as part of their security update release, but again, that doesn’t mean carriers delivered it.In fact, older devices are less likely to get fixes, because carriers would rather you bought a new phone.FireEye’s blog has more technical details on the issue, for those who are curious. When the flaw was brought to Qualcomm’s attention, they fixed it within 90-days. FireEye says they’ve detected no active attacks against vulnerable devices. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe