Four newly identified vulnerabilities could affect 900 million Android devices, Check Point researchers told attendees at the DEF CON 24 security conference in Las Vegas this past weekend.
The vulnerabilities, which the researchers dubbed “QuadRooter,” affect Android devices that use Qualcomm chipsets. They exist in the chipset software drivers.
The drivers, which control communications between chipset components, are incorporated into Android builds manufacturers develop for their devices, so they’re preinstalled on devices and can be fixed only through installation of a patch from the distributor or carrier.
Exploiting any of the four vulnerabilities will let attackers trigger privilege escalations and get root access to the targeted device, Check Point said.
Attackers can exploit the vulnerabilities using a malicious app. Such an app would not require special permissions, and thus would not be easily detected.
The Qualcomm Fix
Qualcomm already has issued fixes for the vulnerabilities, said company spokesperson Catherine Baker.
The company has posted its patches on CodeAurora.
Qualcomm “continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities,” Baker told TechNewsWorld.
The July Android Security Bulletin included all but one update that is scheduled to be issued September.
That doesn’t mean Android devices are safe, however.
“What I don’t know is how fast smartphone manufacturers and carriers distributed the driver updates,” said Kevin Krewell, a principal analyst at Tirias Research.
“That’s a challenge for the Android ecosystem,” he told TechNewsWorld.
Some of the Affected Devices
Qualcomm has 65 percent of the LTE modem baseband market, Check Point said, and some of the latest and most popular Android devices use its chipsets.
Among the Android devices susceptible to the malware are the following:
- Samsung Galaxy S7 and S7 Edge
- Google Nexus 5X, 6 and 6P
- HTC One, M9 and 10
- LG G4, G5 and V10
- Motorola X
- BlackBerry Priv
- OnePlus One, 2 and 3
- Sony Xperia Z Ultra
Qualcomm’s Security Issues
Several vulnerabilities have been reported in Qualcomm’s chipsets over the past few months.
Trend Micro in March reported a vulnerability affecting Snapdragon-powered Android devices, which could be exploited to gain root access on the target device by running a malicious app.
Security researcher Gal Beniamini in May reported a vulnerability that would let hackers gain code execution within Qualcomm’s Secure Execution Environment.
Beniamini in June reported another Qualcomm QSEE flaw that was found its KeyMaster trustlet.
However, the frequency with which security weaknesses in Qualcomm chipsets are discovered is to be expected, suggested Krewell. “Qualcomm’s modems and Snapdragon processors are widely used, so they are under constant scrutiny.”
Affected vs. Infected
Android devices infected with the QuadRooter malware have not yet been discovered, said Jeff Zacuto, mobile security evangelist at Check Point.
“While 900 million devices are affected, that doesn’t necessarily mean they’ve been infected with malicious apps that can be used to exploit these vulnerabilities,” he told TechNewsWorld. “But there’s a risk that there are infectious apps out in the wild that haven’t yet been detected.”
QuadRooter vulnerabilities could give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on the devices, Check Point warned. Attackers also could get capabilities such as keylogging, GPS tracking, and the ability to record video and audio on the devices.
How to Stay Safe
Installing antivirus software on Android devices won’t help, because they “can only detect malicious apps they know about,” Zacuto pointed out. “That means previously unknown malware can evade traditional [antivirus software].”
Check Point recommended that enterprises and consumers take the following measures to stay safe:
- Install an advanced mobile threat detection and mitigation solution on Android devices;
- Download and install the latest Android updates as soon as they become available;
- Examine any app installation request to ensure it’s legitimate before accepting it;
- Download apps only from Google Play;
- Read permission requests carefully when installing any apps; and
- Use a security solution that monitors devices for malicious behavior.
“As we all know, software is not perfect,” observed Krewell, “and swift updates are the best defense.”
Google argues that in more recent releases the verify app protection alleviates some of this. But I know having had to install Amazon video app that I had to turn off this security feature because Amazon video app is not available through the Google Play store. Amazon makes you download it and install it as a unverified app. Yes, you can turn very app security back on after installing the app. But when a update comes out for that app you probably will have to disable it again. Just the fact many users install apps outside of the Google Play ecosystem. means that this is a valid security risk. Not to mention the horrible update process with the Android system in general. Some of these devices could be exposed forever for a lack of an update. To me this definitely makes me rethink Android as a good mobile OS. If my device doesn’t get a timely update which at the moment is exposed to 3 of these threats. I will seriously have to rethink even keeping the device.