CVE-2016-0831

Name of the Vulnerable Software and Affected Versions Android versions 5.x through 5.1.1 LMY49H Android versions 6.x through 2016-03-01

Description The issue is related to the getDeviceIdForPhone function in internal/telephony/PhoneSubInfoController.java, which lacks protection of service data. This allows a remote attacker to obtain confidential information using a specially crafted application. The function does not check for the READ PHONE STATE permission.

Recommendations For Android versions 5.x through 5.1.1 LMY49H, update to version 5.1.1 LMY49H or later. For Android versions 6.x through 2016-03-01, update to a version released after 2016-03-01. As a temporary workaround, consider restricting access to the getDeviceIdForPhone function until a patch is available.