Google patched a 5-year-old Android vulnerability but devices running Jelly Bean and below are still at risk


Google just released its May security update this week and one of the exploits that was patched was a vulnerability that has been around for the last five years. The exploit, codenamed CVE-2016-2060, is a nasty little bugger, one that allows for an application to view your SMS database and call log.

CVE-2016-2060 is claimed to be the most dangerous for devices running Android 4.3 Jelly Bean and below, which isn’t good news considering the latest Android Distribution rankings, which state that at least 24% of Android users have yet to even upgrade to Android 4.4 KitKat. The vulnerability affects devices using Qualcomm processors after the company released a “set of programming interfaces for a system service known as the “network_manager”.

Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history.

The vulnerability exists in a software package maintained by Qualcomm that is available from the Code Aurora Forum. It is published as CVE-2016-2060 and security advisory QCIR-2016-00001-1 on the Code Aurora Forum.

This should be taken very seriously. If your device cannot be upgraded past Android 4.3 Jelly Bean, you may want to head to the store to check out some of the latest phones that will have this vulnerability patched. You know, if security is important to you.

[ArsTechnica via FireEye]


Hangouts adds hidden Easter Egg to show Mom some extra love this Mother’s Day

Previous article

HTC 10 pre-orders begin shipping in the UK starting tomorrow

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *

More in Handsets