Linux kernel developer Scotty Bauer has discovered a new way of unobtrusively hacking Android-devices and infecting their malware with Wi-Fi-transmitted malware.
Bauer found several software errors in the qcacld Wi-Fi driver, which supports Qualcomm Atheros chipsets. These chipsets, along with the problem driver, are used in many Android smartphones, tablets, routers and other devices, including Pixel and Nexus 5. In total, the developer discovered six previously unknown vulnerabilities that allow remote code execution, and reported them to Google. On Monday, November 6, the company released a correction for them.
As Bauer explained , Qualcomm uses SoftMAC, which means that the MAC (Media Access Control Sublayer Management Entity) object is processed by software, not by hardware or by SoC firmware. In this regard, the source code responsible for the 802.11 control frames must be in the driver and therefore can be seen by everyone. In other words, an attacker can analyze the code and determine the necessary control frames. Next, he can send frames to the nearby victim device and exploit the vulnerability.
The qcacld driver contains 691 thousand lines of code. Among the vulnerabilities discovered by the developer, the most serious is CVE-2017-11013. The problem affects the dotllf.c file and allows the buffer to overflow, and then remotely execute the code.