Valletta said.

Devices running Android KitKat (4.4) and later are affected less than older devices because they come with the Security Enhancements for Android (SEAndroid) mechanism enabled in enforcing mode by default. This makes stealing other apps’ data through this flaw impossible. On these newer Android versions, “the ‘netd’ context that the ‘/system/bin/radish’ executable runs as does not have the ability to interact with other ‘radio’ user application data, has limited filesystem write capabilities and is typically limited in terms of application interactions,” Valletta said. However, a malicious application could still use the flaw to modify system properties, he said. “The impact here depends entirely on how the OEM is using the system property subsystem.”

call history and other sensitive data.

To exploit this vulnerability, a malicious application would only need the widely used “ACCESS_NETWORK_STATE” permission in order to access the API exposed by the modified Qualcomm service. This makes it hard to detect exploitation attempts. “Any application could interact with this API without triggering any alerts,” said Jake Valletta from Mandiant, a subsidiary of FireEye, in a blog post. “Google Play will likely not flag it as malicious, and FireEye Mobile Threat Prevention (MTP) did not initially detect it. It’s hard to believe that any antivirus would flag this threat.” Once the “radio” privilege is obtained, the malicious app can access the data of other applications running under the same user. This includes the stock Phone and Telephony Providers applications, which have access to text messages, call history and other sensitive data.