Android vulnerability QuadRooter attracted attention at DefCon24 event. QuadRooter was marketed as New Android Vulnerabilities in Over 900 Million Devices. Security company Check Point made lots of noise about it, including releasing an Adroid app to check your phone against this security flaw.
QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets (found on software drivers): If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. An attacker can exploit these vulnerabilities using a malicious app (app would not require any special permissions). If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and all data.
The Check Point mobile threat research team, which calls the set of vulnerabilities QuadRooter, presented its findings in a session at DEF CON 24 in Las Vegas (check the presentation slides for detais). The vulnerability can affect very many Android device, becauseQualcomm is the world’s leading designer of LTE chipsets (65% share of the LTE modem baseband market). Many of the latest and most popular Android devices found on the market today use these chipsets. All versions of Android are vulnerable to these flaws, which won’t be fully patched until the September security release next month. Check Point said most phone makers have devices that are vulnerable.
Four previously undisclosed security vulnerabilities found in Android phones and tablets that ship with Qualcomm chips could let a hacker take full control of an affected device and almost a billion Android devices are affected by the “high” risk privilege escalation vulnerabilities. Sounds bad. How can I protect against those vulnerabilities? Check Point recommends using their mobile threat detection and mitigation solution on the Android device (good place for marketing their solutions).
But you might not need any new special software as Google confirms ‘Verify Apps’ can block apps using QuadRooter vulnerabilities. Android’s “Verify Apps” feature, included in Google Play Services and enabled by default almost four years ago in Android 4.2 Jelly Bean, is designed to protect against exactly this sort of thing: Verify Apps can identify and block apps using QuadRooter. Also Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed. Qualcomm has already provided fixed code to partners.
Unlike last year’s Stagefright exploits, QuadRooter needs to be delivered in the form of an app, meaning you’d have to enable “Unknown Sources” and manually install an app from somewhere nefarious in order to become infected. Most Android phones don’t allow the installation of third-party apps outside of the Google Play app store, but attackers have slipped malicious apps through the security cracks before.
Latest exploit is roadblocked on 90% of Android devices: Apps using an exploit as serious as QuadRooter would likely be roadblocked completely by Verify Apps — Android would display an “Installation has been blocked” message with no option to ignore and install anyway. While devices are technically still “vulnerable” even with Verify Apps, users would have to manually disable yet another security feature to be affected.
So the fact is that No, 900 million Android devices are not at risk from the ‘Quadrooter’ monster. And it seem that the claim “All versions of Android are vulnerable to these flaws, which won’t be fully patched until the September security release next month” does not hold.
Another day, another overblown Android security scare. So here again there was much more unsecurity hype here on the news today than immediate wide danger. Some users are in real danger (quite small number compared to first news) can stay that way for some time – for that you can blame the complex, messy supply chain.
Sources:
http://www.uusiteknologia.fi/2016/08/09/android-haavoittuvuus-kerasi-huomiota/
http://www.tivi.fi/Kaikki_uutiset/jopa-900-miljoonaa-android-puhelinta-vaarassa-joutua-korkatuksi-nyt-ei-kenenkaan-puhelin-ole-taysin-turvallinen-6571943
http://www.tivi.fi/Kaikki_uutiset/testaa-onko-puhelimesi-vaarassa-ainakin-naissa-luureissa-on-quadrooter-haavoittuvuus-6572267
https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter
http://mobiili.fi/2016/08/09/tama-androidin-turvatoiminto-suojaa-hurjalta-quadrooter-haavoittuvuudelta/
http://blog.checkpoint.com/2016/08/07/quadrooter/
http://www.androidcentral.com/google-confirms-verify-apps-can-block-apps-quadrooter-exploits
http://www.computerworld.com/article/3105569/android/android-quadrooter.html
http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-android-phones/
https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf
http://mobiili.fi/2016/08/09/tama-androidin-turvatoiminto-suojaa-hurjalta-quadrooter-haavoittuvuudelta/
2 Comments
Tomi Engdahl says:
The problem is there are still so many hands in the pot when it comes to updating Android. Google updates its software, but device makers have to tailor it for their phones — and sometimes they get their software not from Google, but from chipmakers like Qualcomm. And then sometimes mobile carriers want to do their own testing to make sure they aren’t inadvertently introducing other problems onto their network.
All that means the time from when a flaw is identified or disclosed to when it is fixed is longer than it should be, sometimes leaving hundreds of millions of phones vulnerable for weeks or months.
“The problem continues to be that Android security updates are really hard because of [their] fragmented ecosystem,” said Check Point mobile security evangelist Jeff Zacuto told Recode.
Source: http://www.recode.net/2016/8/8/12403088/android-security-mess-quadrooter
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Google fixes final two “Quadrooter” Android flaws, which were rated as “critical”, a month after their disclosure
Google fixes final ‘Quadrooter’ flaws with new security patch
The outstanding flaws were fixed a month after the initial disclosure.
http://www.zdnet.com/article/google-fixes-quadrooter-flaws-in-latest-round-of-android-security-patches/
What took Google a month to fix took others just a couple of weeks.
In the latest round of Android security fixes released Tuesday, the company fixed two remaining flaws that were part of the so-called “Quadrooter” set of vulnerabilities announced last month.
Quadrooter was particularly troublesome because the set of four flaws (hence the name “quad”) affected at least 900 million Android devices. These high-risk vulnerabilities would allow a dedicated and well-trained attacker to gain complete access to an affected phone and its data.
Google, which develops Android, said that most phones had received at least two or even three of the fixes in previous security bulletins. But the rest would remain outstanding for a month, until now, when the company released its regularly-scheduled monthly patches.
According to the bulletin, Google confirmed that the two escalation of privilege bugs — CVE-2016-2059 (rated “high”) and CVE-2016-5340 (rated “critical”) — were fixed.
The Android software and phone maker also fixed six more critical bugs in the mobile operating system, including two remote code execution flaw in core Android components.