A nonphysical attacker could gain ADB access by infecting an ADB-authorized developer’s PC with malware or by using malicious chargers targeting ADB-enabled devices.
“The vulnerability could have been exploited by physical or nonphysical attackers with Android Debug Bridge (ADB) access to the device. Clearly such an ability would have been very appealing to thieves,” Roee Hay of the X-Force said in a post explaining the bug. “The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked. The issue affected some of the Android images on the Nexus 5X phone, which is sold by Google. Researchers from IBM’s X-Force team discovered the vulnerability several months ago and reported it to Google, who patched it in March.
The bug could have been exploited by a remote attacker or someone who had physical access to a vulnerable device. Google quietly patched a serious vulnerability in the Android image used on some Nexus devices that could allow an attacker to get full access to a device’s memory even while it was locked.
