May 5th, 2016

Google just released its May security update this week and one of the exploits that was patched was a vulnerability that has been around for the last five years. The exploit, codenamed CVE-2016-2060, is a nasty little bugger, one that allows for an application to view your SMS database and call log.

CVE-2016-2060 is claimed to be the most dangerous for devices running Android 4.3 Jelly Bean and below, which isn’t good news considering the latest Android Distribution rankings, which state that at least 24% of Android users have yet to even upgrade to Android 4.4 KitKat. The vulnerability affects devices using Qualcomm processors after the company released a “set of programming interfaces for a system service known as the “network_manager”.

Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history.

The vulnerability exists in a software package maintained by Qualcomm that is available from the Code Aurora Forum. It is published as CVE-2016-2060 and security advisory QCIR-2016-00001-1 on the Code Aurora Forum.

This should be taken very seriously. If your device cannot be upgraded past Android 4.3 Jelly Bean, you may want to head to the store to check out some of the latest phones that will have this vulnerability patched. You know, if security is important to you.

[ArsTechnica via FireEye]