By linking two operating system and chip vulnerabilities, it is possible to compromise over half of enterprise Androids phones, researchers said.
The flaws affect scores of phones on the market from the most popular Lollipop version 5 Android system, second-placed KitKat version 4.4, and the barely-used modern Marshmallow version 6, said Duo Security researcher Kyle Lady.
Around 60 percent of enterprise Android phones suffer from the issue based on tests of half a million phones.
Affected users can apply a January patch if one is available, although Android handsets other than Nexus units end up locked into custom vendor ROMs and as such must hope manufacturers will distribute Google’s security updates.
About 27 percent of those devices were old Androids.
“If an attacker can get a user to run a malicious app on an affected Android device, the attacker can gain complete control over the entire device by exploiting this QSEE vulnerability,” Lady said in a blog post.
“This attack requires exploiting some vulnerability in mediaserver, and we’re assuming that the attacker has one, given how frequently critical or high severity bugs in mediaserver are found and patched.
“While the likelihood of getting malicious code onto a device is very low, all it takes is one success to get attack code in the Play Store.”
Users need to download an attacker’s app to suffer from the compromise.
The attack exploits functions like accessibility, screen overlay, and root rights. The Marshmallow platform is much more hardened than Lollipop and significantly more so than Kitkat.