Serious Security Bug Threatens Millions of Android Phones

In a classic "bad news; worse news" situation, researchers have discovered that a dangerous bug has been present in hundreds of millions of Android devices for the past five years. While there's a fix, it's not available to most users, and may not be for a while to come.

Credit: Fizkes/Shutterstock

(Image credit: Fizkes/Shutterstock)

Qualcomm, which provides chips and code for a plethora of Android phones and tablets, has an exploitable bug in one of its vital services. In the wrong hands, the bug could let a cybercriminal or malicious app make calls, send texts or even disable a phone's lockscreen -- all without the user's knowledge.

The flaw, designated CVE-2016-2060 under the common bug-reporting system, was discovered by security firm FireEye, which detailed it in a blog posting. In a nutshell, it lets a malicious program access many settings and sensitive pieces of information on an affected phone, even if the victim does not grant the malicious app any special privileges.

FireEye notified Qualcomm of the flaw in January, and Qualcomm had fix ready by the end of April. Google's latest Android Security Bulletin, detailing fixes made to Nexus devices on May 1, rates the bug with High severity.

MORE: Best Antivirus Software and Apps

Here's where things get hairy, though: We have no idea which devices, other than Nexus devices currently supported by Google, will get patches, or when that might happen. In theory, Android versions 2.3 Gingerbread, 3.0 Honeycomb, 4.0 Ice Cream Sandwich, 4.1-4.3 Jellybean, 4.4 KitKat and 5.0 Lollipop are all vulnerable, meaning that any device made within the last five years or so could fall prey to this flaw.

Devices running KitKat or later are less vulnerable, as the Security Enhanced Linux (SELinux) incorporated into those version of Android mitigate many of the possible exploits. If you've got a device running Marshmallow, go into Settings --> About phone and scroll down to "Android security patch level." If that says May 1, 2016, you've probably got the patch.

But, as always, Google does not control when individual phone manufacturers will deploy security updates, or which fixes they must include. Users with recent phones from Samsung, HTC, Motorola, Huawei or other prominent Android manufacturers may have to wait months before they receive the patch.

Some manufacturers discontinue security patches for devices that are only a year old, and most do for devices that are more than two years old, which means that older handsets might have to live with the vulnerability forever. (Android "rooters" should know that some builds of the alternate Android firmware Cyanogenmod appear to already have the patch.)

In the meantime, it's not all doom and gloom. While the Qualcomm bug is extremely dangerous, there's also no evidence that anyone has tried to exploit it in the wild. Furthermore, Qualcomm's tethering control is not the average phone's last line of defense. 

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Android Phones
Google Pixel 9 Pro in hand
Epic Google sale on Pixel 9 Pro, Pixel Watch and more — 9 deals I’d buy with up to $400 off
samsung galaxy s25 edge mockup at galaxy unpacked
Galaxy S25 Edge is overhyped — I want Samsung to make this phone thinner instead
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
android 16 logo on a samsung galaxy smartphone
One of Apple’s most controversial AI features could be coming to Android phones
Google Pixel 9a render
Google Pixel 9a pre-orders could come with a free Google TV Streamer — what we know
Samsung Galaxy S23 Ultra
Older Samsung phones are finally getting One UI 7 — here's all the devices
Latest in News
Erin Doherty as Briony Ariston and Owen Cooper as Jamie Miller in "Adolescence" on Netflix
Netflix just got a gripping crime drama show that’s already hit No. 1 — and it’s 100% on Rotten Tomatoes
Leslie Bibb in The White Lotus season 3
Last night's 'White Lotus' cameo is less surprising than you think
Garmin Fenix 8 Sleep
New data reveals the average Garmin sleep score — do you sleep better or worse than most people?
A YouTuber holding the leaked Pixel 9a
Google Pixel 9a just fully leaked in new YouTube video — here's everything it reveals
iOS 19 logo on an iPhone
iOS 19's big redesign is tipped to bring a whole new look and unite all of Apple's devices — and pave the way for a foldable iPhone
iPhone 16 Pro Max shown in hand
Forget iPhone 17 — the iPhone 18 could be the first phone with under-display Face ID