900 million Android devices affected by Quadrooter security flaws

Hackers can potentially infect Android devices with malware, which when installed, would provide them with "privilege escalation" to gain rooting access to devices, thanks to four new vulnerabilities, dubbed Quadrooter, identified by security researchers. Around 900 million Android devices have been left vulnerable by Quadrooter.

According to security firm Check Point, hackers could potentially exploit any one of the four identified vulnerabilities to gain rooting privileges, which would then give the hackers full control over the affected device. This means that hackers would then have access to all the data and hardware of the infected device, including camera and microphone.

The vulnerabilities affect Android devices of various brands, including:

• BlackBerry Priv, Blackphone 1 and 2,
• Google Nexus 5X, 6 and 6P,
• HTC One M9 and HTC 10,
• LG G4, G5, and V10,
• New Moto X by Motorola,
• OnePlus One, 2 and 3,
• Samsung Galaxy S7 and S7 Edge,
• Sony Xperia Z Ultra

"An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing. Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm," Check Point said.

Flaws in-built

"During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems," said Check
Point senior security researcher Adam Donenfeld, presenting the firm's findings at the DefCon security conference on 7 August.

The flaws uncovered by Check Point were found to affect Qualcomm chip drivers, which are installed into devices during manufacturing. This means that Google, which provides the software for Android devices, would not be able to produce the security patches. Instead, the security updates must come from the hardware manufacturer (in this case Qualcomm), to be provided to the phone vendors, before it can be rolled out to the users.

3 down, 1 to go

Three of the four security flaws identified have already been patched. However, the remaining vulnerability is yet to be fixed, the Register reported. The security patch for the remaining vulnerability will likely arrive with Google's monthly security update release, and should be available to users in September.

"No-one at this point has a device that's fully secure," Check Point mobility product management head Michael Shaulov told ZDNet. "That basically relates to the fact that there is some kind of issue of who fixes what between Qualcomm and Google."

Check Point has a free app that enables users to check if their devices are vulnerable.