New vulnerabilities affect over 900 million Android devices, enable complete control of devices

Check Point researchers have announced four new vulnerabilities that affect over 900 million Android smartphones and tablets at DEF CON in Las Vegas.

QuadRooter is a set of four vulnerabilities affecting Android devices that are built on the Qualcomm chipset, a supplier of 80% of the chipsets in the Android ecosystem. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device, enabling them to change or remove system-level files, delete or add apps, and access the device’s screen, camera or microphone.

What’s vulnerable?

The vulnerabilities are found in the software drivers Qualcomm ships with its chipsets. An attacker can exploit these vulnerabilities using a malicious app to trigger privilege escalations and gain root access to a device. This app would require no special permissions to take advantage of the vulnerabilities, which means they would not make users suspicious.

Affected devices include:

• Samsung Galaxy S7 & S7 Edge
• Sony Xperia Z Ultra
• Google Nexus 5X, 6 & 6P
• HTC One M9 & HTC 10
• LG G4, G5 & V10
• Motorola Moto X
• OnePlus One, 2 & 3
• BlackBerry Priv
• Blackphone 1 & 2

Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

Check Point has released a free QuadRooter scanner app that enables Android users to find out if their device is vulnerable, and prompt them to download patches for the problem.

Vulnerability disclosure

Check Point researchers provided Qualcomm with information about the vulnerabilities in April 2016. The team then followed the industry-standard disclosure policy (CERT/CC policy) of allowing 90 days for Qualcomm to produce patches before disclosing the vulnerabilities. Qualcomm reviewed these vulnerabilities, classified each as high risk, and has since released patches to original equipment manufacturers (OEMs).

The disclosure of the Quadrooter vulnerability follows on from Check Point’s discovery last month that over 85 million Android devices had been infected with the Hummingbad malware, generating an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it.

Android security best practices

Check Point recommends the following best practices to help keep Android devices safe from attacks:

• Download and install the latest Android updates as soon as they become available
• Understand the risks of rooting devices – either intentionally or from an attack
• Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, download apps only from Google Play
• Read permission requests when installing any apps carefully. Be wary of apps that ask for permissions that seem unusual or unnecessary, or use large amounts of data or battery life
• Use known, trusted Wi-Fi networks or while traveling use only those that you can verify are provided by a trustworthy source
• End users and enterprises should consider using mobile security solutions designed to detect suspicious behavior on a device, including malware that could be obfuscated within installed apps.