Google recently shut down the boot mode vulnerability in Android that allowed hackers to eavesdrop on calls. Can...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
you explain how this exploit works?
It takes a few steps for the boot mode vulnerability exploit to work. First, the attacker infects a PC with malware through the internet. Then, the attacker waits for the victim to enable Android Debug Bridge (ADB) after manually connecting his Nexus 6 or 6P phone to the infected PC.
ADB is a command-line utility that is included with Google's Android SDK. The victim can use ADB to control his device over USB from a PC, copy files back and forth, and install and uninstall apps -- including fingerprint sensor apps. If the victim is also a developer, he can use it to load Android application packages onto his device.
After the victim enables ADB, the attacker installs PC malware on the device. Then, the PC malware waits for the victim to boot up and place the device in fastboot mode to exploit an elevation of privilege vulnerability in the bootloader.
This severe boot mode vulnerability allows an attacker to execute modem commands on the device. By turning on extra USB interfaces, the attacker can eavesdrop on calls, intercept data packets and get the GPS coordinates of where the calls were made.
Even when the victim disables the ADB, the attacker can access a locked PC and open an ADB session with the device. This causes the ADB host to run through the victim's PC.
Although the newer 6P phone had its modem diagnostics disabled in the firmware, the attacker can still seize control of the modem interfaces. The attacker can use the interfaces to send or eavesdrop on SMS messages and, possibly, to bypass two-factor authentication.
The Android boot mode vulnerability was patched by Google earlier this year, so it shouldn't affect most enterprise users as long as they regularly update their devices.
A second, more moderate boot mode vulnerability (CVE-2016-6678) pointed to the Motorola USBNet driver, which enabled a malicious application to allow the attacker to grab data in both Nexus phones. Google patched this moderate vulnerability in October.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out how the Mazar malware takes control of Android devices
Discover what you need to know about signatureless malware detection
Learn about another Android malware, Pegasus
Dig Deeper on Mobile security threats and prevention
Related Q&A from Judith Myerson
A cryptographic weakness was discovered in the Telerik web UI. Expert Judith Myerson alerts readers about this weakness and the alternative options ...continue reading
New media player vulnerabilities have been exposed that enable hackers to use subtitle files to control devices. Expert Judith Myerson explains how ...continue reading
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.