In a classic "bad news; worse news" situation, researchers have discovered that a dangerous bug has been present in hundreds of millions of Android devices for the past five years. While there's a fix, it's not available to most users, and may not be for a while to come.
Qualcomm, which provides chips and code for a plethora of Android phones and tablets, has an exploitable bug in one of its vital services. In the wrong hands, the bug could let a cybercriminal or malicious app make calls, send texts or even disable a phone's lockscreen -- all without the user's knowledge.
The flaw, designated CVE-2016-2060 under the common bug-reporting system, was discovered by security firm FireEye, which detailed it in a blog posting. In a nutshell, it lets a malicious program access many settings and sensitive pieces of information on an affected phone, even if the victim does not grant the malicious app any special privileges.
FireEye notified Qualcomm of the flaw in January, and Qualcomm had fix ready by the end of April. Google's latest Android Security Bulletin, detailing fixes made to Nexus devices on May 1, rates the bug with High severity.
Here's where things get hairy, though: We have no idea which devices, other than Nexus devices currently supported by Google, will get patches, or when that might happen. In theory, Android versions 2.3 Gingerbread, 3.0 Honeycomb, 4.0 Ice Cream Sandwich, 4.1-4.3 Jellybean, 4.4 KitKat and 5.0 Lollipop are all vulnerable, meaning that any device made within the last five years or so could fall prey to this flaw.
Devices running KitKat or later are less vulnerable, as the Security Enhanced Linux (SELinux) incorporated into those version of Android mitigate many of the possible exploits. If you've got a device running Marshmallow, go into Settings --> About phone and scroll down to "Android security patch level." If that says May 1, 2016, you've probably got the patch.
But, as always, Google does not control when individual phone manufacturers will deploy security updates, or which fixes they must include. Users with recent phones from Samsung, HTC, Motorola, Huawei or other prominent Android manufacturers may have to wait months before they receive the patch.
Some manufacturers discontinue security patches for devices that are only a year old, and most do for devices that are more than two years old, which means that older handsets might have to live with the vulnerability forever. (Android "rooters" should know that some builds of the alternate Android firmware Cyanogenmod appear to already have the patch.)
In the meantime, it's not all doom and gloom. While the Qualcomm bug is extremely dangerous, there's also no evidence that anyone has tried to exploit it in the wild. Furthermore, Qualcomm's tethering control is not the average phone's last line of defense.