A new Android flaw has been reported by security researchers that is claimed to affect roughly 900 million Android devices. Check Point mobile research team first reported the issue and claims that it affects all devices using Qualcomm chipsets.
Dubbed ‘QuadRooter’, it is said to be a set of four vulnerabilities affecting Android devices built on Qualcomm chipsets. The research team explains that if any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. The team also claimed that the QuadRooter vulnerabilities are present in software drivers that ship with Qualcomm SoCs. “Any Android device built using these chipsets is at risk,” notes Check Point.
Qualcomm informed ZDNet that patches for the issue were released to “customers, partners, and the open source community between April and the end of July.”
One of the biggest concerns with the QuadRooter vulnerability is that the buggy software is pre-installed on devices at the point of manufacture, and can only be fixed via security patch released by the carrier or distributor. “Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm,” adds Check Point in a blog post.
“An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” explains Check Point mobile research team.
Some of the popular devices said to be affected by the new QuadRooter flaw include BlackBerry Priv, Google Nexus 5X, Nexus 6P, HTC 10, LG G5, Moto X, OnePlus 3, and Samsung Galaxy S7 among others. The team also claimed that secure phones – Blackphone 1 and Blackphone 2 – are also likely to be affected by this vulnerability. Adam Donenfeld, Lead Mobile Security Researcher at Check Point, revealed the vulnerability at a recent Def Con security conference in Las Vegas.
“If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio,” adds the team.
A Qualcomm spokesperson told ZDNet, “Qualcomm has a significant position in the development chain, in that a phone maker isn’t taking the Android open-source code directly from Google, they’re actually taking it from Qualcomm. No-one at this point has a device that’s fully secure. That basically relates to the fact that there is some kind of issue of who fixes what between Qualcomm and Google.”
Check Point recommends some best practices to keep Android devices safe from such attacks like downloading and installing the latest Android update; examine any app installation request before accepting; avoid side-loading Android apps, and read permission requests when installing any apps among others.