Almost 1bn Android smartphones vulnerable to new QuadRooter risk

8 Aug 2016

900m Android devices with Qualcomm chips around the world are understood to be affected by a high-risk vulnerability

More than 900m Android devices with Qualcomm chips are understood to be affected by a high-risk vulnerability that won’t be patched until next month.

The Check Point mobile threat research team, which calls the set of vulnerabilities QuadRooter, presented its findings in a session at the Def Con 24 hacking conference in Las Vegas at the weekend.

Qualcomm is the world’s leading designer of LTE chipsets, with a 65pc share of the LTE modem baseband market.

Future Human

What is QuadRooter?

QuadRooter is a set of four vulnerabilities affecting Android devices using Qualcomm chipsets. These including devices from BlackBerry, Google’s various Nexus devices, most recent HTC devices, LG, Motorola, OnePlus, Samsung’s S7 and S7 Edge and the Sony Xperia Z Ultra.

QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets and any device with these chipsets are at risk.

“An attacker can exploit these vulnerabilities using a malicious app,” Check Point warned.

“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.”

If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.

Check Point said that since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier.

The earliest such update may not be available until September.

“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users,” Check Point said.

“Once available, the end users must then be sure to install these updates to protect their devices and data.”

Android security image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years