CVE-2021-39635
📋 TL;DR
CVE-2021-39635 is a critical privilege escalation vulnerability in the ims_ex system service on Unisoc-powered Android devices. It allows unprivileged applications without phone permissions to access VoLTE sensitive information and manage VoLTE calls. This affects Android devices using Unisoc chipsets with vulnerable versions of the ims_ex service.
💻 Affected Systems
- Android devices with Unisoc (Spreadtrum) chipsets
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept, redirect, or terminate VoLTE calls, access call metadata and sensitive VoLTE configuration data, potentially enabling surveillance or service disruption.
Likely Case
Malicious apps could silently collect VoLTE call information, manipulate call settings, or cause service instability without user knowledge.
If Mitigated
With proper permission validation, only system apps with appropriate permissions can access VoLTE management functions.
🎯 Exploit Status
Exploitation requires installing a malicious app on the target device. The vulnerability is straightforward to exploit once an app is installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Bulletin February 2022 patches
Vendor Advisory: https://source.android.com/security/bulletin/2022-02-01
Restart Required: Yes
Instructions:
1. Check for Android security updates in device settings. 2. Install February 2022 or later security patches. 3. For OEM devices, check manufacturer's security updates. 4. Reboot device after update installation.
🔧 Temporary Workarounds
Restrict app installations
allOnly install apps from trusted sources like Google Play Store and avoid sideloading unknown apps
Review app permissions
allRegularly audit installed apps and remove any suspicious or unnecessary applications
🧯 If You Can't Patch
- Deploy mobile device management (MDM) to control app installations and monitor for suspicious behavior
- Implement application allowlisting to prevent unauthorized apps from running on affected devices
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version. If patch level is before February 2022 and device uses Unisoc chipset, it may be vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level is February 2022 or later in Settings > About phone > Android version📡 Detection & Monitoring
Log Indicators:
- Unusual access to telephony services by non-system apps
- Permission denial logs for ims_ex service access attempts
Network Indicators:
- Abnormal VoLTE call patterns or configurations
SIEM Query:
source="android_logs" AND (process="ims_ex" OR service="ims_ex") AND action="access" AND result="granted" AND caller_package NOT IN (system_apps)