Attackers can gain complete control over 60 percent of Android phones using a critical flaw.
First discovered by researcher Gal Beniamini, the vulnerability (CVE-2015-6639) allows an attacker to execute code within Qualcomm’s Secure Execution Environment (QSEE).
You see, most mobile platforms come pre-installed with a trusted environment for executing code that is segregated from the normal operating system. This environment is created by TrustZone.
QSEE refers to Qualcomm’s implementation of TrustZone. As such, it is divided between two environments: the “Non-Trusted” and “Trusted” worlds.
The operating system and mobile applications function in the “Non-Trusted” world, whereas more sensitive functions (such as the processing of cryptographic keys and encrypted data) take place in the “Trusted” world.
Those two realms are supposed to remain separate except during development. But Beniamini has detected a method by which attackers can gain access to the “Trusted” world from the “Non-Trusted” world. All they need is a vulnerable “trustlet,” or trusted application:
“…Communication with TrustZone exposes a large (!) attack surface – if any trustlet that can be loaded on a particular device contains a vulnerability, we can exploit it in order to gain code execution within the trusted execution environment. Moreover, since the trusted execution environment has the ability to map-in and write to all physical memory belonging to the ‘Normal World’, it can also be used in order to infect the ‘Normal World’ operating system’s kernel without there even being a vulnerability in the kernel (simply by directly modifying the kernel’s code from the ‘Secure World’).”
As it turns out, the security researcher discovered one such vulnerable trustlet: widevine, a trusted application in Android’s mediaserver which enables playback of digital rights management (DRM) encrypted media.
By exploiting that vulnerable trustlet, the researcher can in a sense bypass the Linux kernel entirely and gain access to QSEE, as illustrated in the graphic below:
Following his discovery, Beniamini tested several Android devices and found them to be vulnerable, but it was unclear just how many separate phones were affected by the critical vulnerability.
That’s not the case any longer.
Kyle Lady, product R&D at Duo Security, measured a data sample of 500,000 Android devices running the security firm’s 2-step verification app. Out of those phones he analyzed, 60 percent were found to be vulnerable.
Not only that, but 27 percent of those devices were found to be “permanently vulnerable” in that they are too old to receive monthly updates. In that case, those devices can be protected only via an OS upgrade to at least Android 4.4.4 or by receiving a patch from the carrier on that version and model.
That latter fix is unlikely. Even on newer models that receive patches on a monthly basis, it’s unlikely users will receive the update anytime soon. As Lady told CSO:
“There really isn’t any way for them to force a patch to happen,” he said. “If it isn’t a Nexus phone, the manufacturer has to apply the patch to the software, then send it to the carrier, such as Verizon. The carrier has to approve it, and then send it to customers using that phone. So there’s a substantial delay.”
Let’s be clear. This vulnerability isn’t as serious as something like Stagefright. This flaw does in the very least require attackers to trick a target into downloading a malicious application on their Android device.
As a result, while users await a fix for their Android model and version, they should install applications from only trusted sources. They should also regularly check their devices for security updates and implement them as soon as possible.