search slide
search slide
pages bottom

Qualcomm bugs expose nearly 1 billion Android devices to exploits

Android users are staring down the barrel of another significant security vulnerability, which was detailed at the DEF CON security conference. It’s actually a group of four vulnerabilities in Qualcomm-based smartphones and tablets, which has been dubbed QuadRooter by security firm Check Point. Depending on the device you have, you might already have patches for some parts of QuadRooter, or you might be waiting a good long time for them. That’s just the nature of the beast.

Qualcomm is far and away the most prolific maker of mobile systems-on-a-chip, the packages that include CPU, GPU, DSP, and other core components. Virtually all high-end smartphones and tablets have a Qualcomm chip inside. That turns out to be a problem in the case of QuadRooter. The four issues are known (they were disclosed privately before being discussed publicly) as CVE-2016-2059, CVE-2016-2504, CVE-2016-2503, and CVE-2016-5340. They are rooted in the Linux system code provided by Qualcomm to partners like Google.

Unlike the Stagefright vulnerability last year that prompted a change to Google’s update model, QuadRooter actually needs to run code locally on your device. In order to be affected by QuadRooter, you would need to install a rogue app designed to take advantage of the flaws in Qualcomm’s code. The flaws allow an app to escalate its privileges and gain control of the phone. It’s essentially an in-place root exploit. These apps could then gain access to all the personal information stored on your device. 

Vulnerable phones include the Samsung Galaxy S7, Moto Z, HTC 10, LG G5, OnePlus 3, Nexus 6P, and many other high-end devices. Check Point contends that about 900 million Android devices are vulnerable to the flaws on some level. Although, it’s not clear how it arrived at that number. While Qualcomm chips are the most common, there are phones on the market that run other types of SoCs. For example, budget phones with MediaTek chips and Samsung devices that run Exynos.

qualcomm-snapdragon-808-810-20140408-1

Qualcomm has already made the necessary changes on its end, but the problem here is the F-word—fragmentation. People have been wringing their hands about Android fragmentation for years, but it’s hardly a doom and gloom scenario anymore. Three of the four vulnerabilities have been patched as of the August security update level, and the last one should be included in next month’s patch. That means Nexus devices are safe. Samsung also tends to get security patches out to its phones in a timely manner. Everything else is going to be delayed at least a few months as OEMs and carriers build and test the updates. Many phones shipping now are still running security patches from early this summer, which don’t block the QuadRooter exploits.

So, panic? Nah, you’re probably still fine. Remember, you need to actually install a malware app for this to affect you. To keep yourself safe, leave the “unknown sources” toggle off in the Android security settings (this is the default) and don’t install APKs from untrusted sources. Stick to the Play Store for your apps. Now that these exploits are public, Google’s Play Store scanners should be able to blast any apps that are uploaded in an attempt to infect devices. As usual, the odds of your phone actually being exploited by this vulnerability are remote. If you’re curious, Check Point also has an app in the Play Store that will scan your device for QuadRooter. 

Leave a Reply

Captcha image