Android vulnerability QuadRooter attracted attention at DefCon24 event. QuadRooter was marketed as New Android Vulnerabilities in Over 900 Million Devices. Security company Check Point made lots of noise about it, including releasing an Adroid app to check your phone against this security flaw.
QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets (found on software drivers): If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. An attacker can exploit these vulnerabilities using a malicious app (app would not require any special permissions). If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and all data.
The Check Point mobile threat research team, which calls the set of vulnerabilities QuadRooter, presented its findings in a session at DEF CON 24 in Las Vegas (check the presentation slides for detais). The vulnerability can affect very many Android device, becauseQualcomm is the world’s leading designer of LTE chipsets (65% share of the LTE modem baseband market). Many of the latest and most popular Android devices found on the market today use these chipsets. All versions of Android are vulnerable to these flaws, which won’t be fully patched until the September security release next month. Check Point said most phone makers have devices that are vulnerable.
Four previously undisclosed security vulnerabilities found in Android phones and tablets that ship with Qualcomm chips could let a hacker take full control of an affected device and almost a billion Android devices are affected by the “high” risk privilege escalation vulnerabilities. Sounds bad. How can I protect against those vulnerabilities? Check Point recommends using their mobile threat detection and mitigation solution on the Android device (good place for marketing their solutions).
But you might not need any new special software as Google confirms ‘Verify Apps’ can block apps using QuadRooter vulnerabilities. Android’s “Verify Apps” feature, included in Google Play Services and enabled by default almost four years ago in Android 4.2 Jelly Bean, is designed to protect against exactly this sort of thing: Verify Apps can identify and block apps using QuadRooter. Also Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed. Qualcomm has already provided fixed code to partners.
Unlike last year’s Stagefright exploits, QuadRooter needs to be delivered in the form of an app, meaning you’d have to enable “Unknown Sources” and manually install an app from somewhere nefarious in order to become infected. Most Android phones don’t allow the installation of third-party apps outside of the Google Play app store, but attackers have slipped malicious apps through the security cracks before.
Latest exploit is roadblocked on 90% of Android devices: Apps using an exploit as serious as QuadRooter would likely be roadblocked completely by Verify Apps — Android would display an “Installation has been blocked” message with no option to ignore and install anyway. While devices are technically still “vulnerable” even with Verify Apps, users would have to manually disable yet another security feature to be affected.
So the fact is that No, 900 million Android devices are not at risk from the ‘Quadrooter’ monster. And it seem that the claim “All versions of Android are vulnerable to these flaws, which won’t be fully patched until the September security release next month” does not hold.
Another day, another overblown Android security scare. So here again there was much more unsecurity hype here on the news today than immediate wide danger. Some users are in real danger (quite small number compared to first news) can stay that way for some time – for that you can blame the complex, messy supply chain.