Four months after Google fixed the issue, a security researcher has come forward to explain how a vulnerability in Android’s Qualcomm Secure Execution Environment (QSEE) can be leveraged to compromise devices.
Fixed in Google’s January Nexus Security Bulletin, the bug known as CVE-2015-6639 is categorized as an elevation of privileges in the Android TrustZone.
The Android TrustZone is a special section of the Android kernel, working separately from the rest of the kernel, and tasked with processing the most crucial and sensitive operations, like the ones that handle encrypted data.
CVE-2015-6639 + mediaserver exploit = trouble
Security researcher Gal Beniaminithis issue in the Qualcomm’s custom implementation of the TrustZone kernel, used on Android smartphones that utilize Qualcomm chips.
Beniamini says that the vulnerability on its own is harmless, but if attackers chain two exploits together, the attacker can use CVE-2015-6639 to get root privileges in the Qualcomm’s TrustZone.
According to the researcher, any exploit in the Android mediaserver component will do. The mediaserver component is where the infamous Stagefright bug was discovered, and ever since launching its Android Security Bulletin last September, Google has been patching at least one mediaserver issue each month, so attackers would not have to look too far for a working exploit.
An attacker only needs to craft a malicious app with these two exploits and trick a user into installing it. Once he achieves this, he can have full control over the device.
Three in five devices are vulnerable
According to telemetry data from half of million Android phones gathered by mobile security firm Duo,of all current Android devices are using Qualcomm chips and are running affected Android versions.
Even if Google released patches for this issue, upgrading an Android device is completely out of the user and Google’s control, and these devices may remain vulnerable to this bug for a long time.
“This issue is rated as a Critical severity due to the possibility of a local permanent device compromise, in which case the device would possibly need to be repaired by re-flashing the operating system,” Google wrote.
The only way to avoid a total pwnage of your Android device is to use an antivirus solution, or only install reputable, trusted applications.