Yongzheng Wu

**Name of the Vulnerable Software and Affected Versions** Android versions 5.x through 5.1.1 LMY49H Android versions 6.x through 2016-03-01 **Description** The issue is related to the `getDeviceIdForPhone` function in `internal/telephony/PhoneSubInfoController.java`, which lacks protection of service data. This allows a remote attacker to obtain confidential information using a specially crafted application. The function does not check for the `READ PHONE STATE` permission. **Recommendations** For Android versions 5.x through 5.1.1 LMY49H, update to version 5.1.1 LMY49H or later. For Android versions 6.x through 2016-03-01, update to a version released after 2016-03-01. As a temporary workaround, consider restricting access to the `getDeviceIdForPhone` function until a patch is available.