A flaw in mobile chip maker Qualcomm’s mobile processor, used in 60 percent of Android devices, allows attackers to take control over a targeted phone or tablet under specific conditions. Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver, coupled with a security hole in Qualcomm’s Secure Execution Environment (QSEE).
This QSEE vulnerability, discovered by Gal Beniamini last week, is troubling because it impacts both old versions of the Android operating system and new Marshmallow versions. Google has issued a patch for the exploit, however Duo estimates only a small fraction of Android devices have received the fix.
Duo researchers are careful to give perspective to its analysis of the QSEE vulnerability (CVE-2015-6639) and stress that while a majority of Android devices are vulnerable to attack via this exploit, security concerns aren’t as dire as attacks from the similar and more malicious Stagefright.