SentinelOne director of mobile research Tim Strazzere said he found an open socket—shell@blackphone:/dev/socket $ ls l at_pal srwrwrw radio system 20150731 17:51 at_pal—accessible on the phone that the agps_daemon, a system-level shell is able to communicate with. The vulnerability, CVE-2015-6841, is specific to the modem used by the Blackphone, the Icera modem developed by nVidia. The manufacturer announced in May it was discontinuing its Icera softmodem business.
Strazzere said that an attacker could use a malicious app, or chain together a Stagefright-type exploit with this vulnerability, to send commands to the phone’s radio.
The result poses a number of privacy and security woes for victims; an attacker could enable call forwarding, mute the phone, or send and read SMS messages all without leaving a trace on the device.