Google recently shut down the boot mode vulnerability in Android that allowed hackers to eavesdrop on calls. Can...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
you explain how this exploit works?
It takes a few steps for the boot mode vulnerability exploit to work. First, the attacker infects a PC with malware through the internet. Then, the attacker waits for the victim to enable Android Debug Bridge (ADB) after manually connecting his Nexus 6 or 6P phone to the infected PC.
ADB is a command-line utility that is included with Google's Android SDK. The victim can use ADB to control his device over USB from a PC, copy files back and forth, and install and uninstall apps -- including fingerprint sensor apps. If the victim is also a developer, he can use it to load Android application packages onto his device.
After the victim enables ADB, the attacker installs PC malware on the device. Then, the PC malware waits for the victim to boot up and place the device in fastboot mode to exploit an elevation of privilege vulnerability in the bootloader.
This severe boot mode vulnerability allows an attacker to execute modem commands on the device. By turning on extra USB interfaces, the attacker can eavesdrop on calls, intercept data packets and get the GPS coordinates of where the calls were made.
Even when the victim disables the ADB, the attacker can access a locked PC and open an ADB session with the device. This causes the ADB host to run through the victim's PC.
Although the newer 6P phone had its modem diagnostics disabled in the firmware, the attacker can still seize control of the modem interfaces. The attacker can use the interfaces to send or eavesdrop on SMS messages and, possibly, to bypass two-factor authentication.
The Android boot mode vulnerability was patched by Google earlier this year, so it shouldn't affect most enterprise users as long as they regularly update their devices.
A second, more moderate boot mode vulnerability (CVE-2016-6678) pointed to the Motorola USBNet driver, which enabled a malicious application to allow the attacker to grab data in both Nexus phones. Google patched this moderate vulnerability in October.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out how the Mazar malware takes control of Android devices
Discover what you need to know about signatureless malware detection
Learn about another Android malware, Pegasus
Dig Deeper on Mobile security threats and prevention
Related Q&A from Judith Myerson
HTTPS interception tools help protect websites, but they can also hurt TLS security. Expert Judith Myerson explains how this works and what ...continue reading
Router vulnerabilities in over 20 Linksys models expose user data to attackers. Expert Judith Myerson explains how the flaws work and how to protect ...continue reading
Better DevOps application lifecycle management can help protect cryptographic and digital keys. Expert Judith Myerson explains the right approaches ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.