How does the boot mode vulnerability in Android work?

A boot mode vulnerability allowed attackers to eavesdrop on calls made on certain Android devices. Expert Judith Myerson explains how the complex exploit works.

Google recently shut down the boot mode vulnerability in Android that allowed hackers to eavesdrop on calls. Can you explain how this exploit works?

It takes a few steps for the boot mode vulnerability exploit to work. First, the attacker infects a PC with malware through the internet. Then, the attacker waits for the victim to enable Android Debug Bridge (ADB) after manually connecting his Nexus 6 or 6P phone to the infected PC.

ADB is a command-line utility that is included with Google's Android SDK. The victim can use ADB to control his device over USB from a PC, copy files back and forth, and install and uninstall apps -- including fingerprint sensor apps. If the victim is also a developer, he can use it to load Android application packages onto his device.

After the victim enables ADB, the attacker installs PC malware on the device. Then, the PC malware waits for the victim to boot up and place the device in fastboot mode to exploit an elevation of privilege vulnerability in the bootloader.

This severe boot mode vulnerability allows an attacker to execute modem commands on the device. By turning on extra USB interfaces, the attacker can eavesdrop on calls, intercept data packets and get the GPS coordinates of where the calls were made.

Even when the victim disables the ADB, the attacker can access a locked PC and open an ADB session with the device. This causes the ADB host to run through the victim's PC.

Although the newer 6P phone had its modem diagnostics disabled in the firmware, the attacker can still seize control of the modem interfaces. The attacker can use the interfaces to send or eavesdrop on SMS messages and, possibly, to bypass two-factor authentication.

The Android boot mode vulnerability was patched by Google earlier this year, so it shouldn't affect most enterprise users as long as they regularly update their devices.

A second, more moderate boot mode vulnerability (CVE-2016-6678) pointed to the Motorola USBNet driver, which enabled a malicious application to allow the attacker to grab data in both Nexus phones. Google patched this moderate vulnerability in October.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out how the Mazar malware takes control of Android devices

Discover what you need to know about signatureless malware detection

Learn about another Android malware, Pegasus

This was last published in April 2017

Dig Deeper on Threats and vulnerabilities