Android QuadRooter vulnerability: should you be worried?


Details of a security flaw which could potentially compromise 900 million Android handsets recently came to light – but is it something you need to worry about? We’ve spoken to the major players in the mobile market to find out what’s going on.

Research carried out by Check Point highlighted a potential risk to handsets running particular Qualcomm chipsets, after it found a set of vulnerabilities dubbed ‘QuadRooter’.

This relates to four vulnerabilities which potentially allow attackers to gain access to your device using a malicious app, with high-end handsets including the HTC 10, LG G5, BlackBerry Priv, OnePlus 3 and the US variants of the Samsung Galaxy S7 and S7 Edge in the crosshairs.

It’s worth noting that the likelihood of downloading a malicious app is low, unless you frequently opt to download from spurious ‘unknown sources’, and to date there have been no recorded attacks exploiting this flaw.

There are two very simple things you can do minimize the risk of falling victim to a QuadRooter hack:

  • Keep your smartphone updated with the latest software
  • Only download apps from trusted sources (e.g. the Google Play Store)

What’s Qualcomm doing?

  • Fix status: patches already distributed

While details of QuadRooter have only recently been brought to public attention, Check Point alerted Qualcomm to the vulnerability at the start of the year, and the chipset manufacturer has already developed a patch.

A Qualcomm spokesperson said: “We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.

“The patches were also posted on CodeAurora. QTI continues to work proactively, both internally as well as with security researchers, to identify and address potential security vulnerabilities.”

That means the fix now lies in the hands of the people who make our phones, control our networks and of course, Google – the brains behind the Android platform. We’ve contacted a number of the major players to find out when you can expect the fix to land on your phone, and we’ll update this article as we get responses.


Google Nexus 6P

  • Key handsets at risk: Nexus 5X, Nexus 6, Nexus 6P
  • Fix status: three out of four vulnerabilities covered in latest patch

There’s good news from Google, which has moved to fix the issue at its root, with a spokesperson telling us: “Android devices with our most recent security patch level are already protected against three of these four vulnerabilities.

“The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided.”

Google was also quick to highlight that Android already has safeguards in place against potential attacks like this. “Exploitation of these issues depends on users also downloading and installing a malicious application,” the spokesperson added. “Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these.”


BlackBerry Priv

A spokesperson for the Canadian firm told us: “BlackBerry is aware of the QuadRooter flaws, and the vulnerabilities that affect the majority of Android devices.

“A fix for BlackBerry’s Android devices was integrated and tested in our labs immediately after the report was received, and we will expedite it to customers as soon as possible.”

That said, the firm reckons its devices aren’t at serious risk from QuadRooter. “We believe that BlackBerry’s secure boot chain design mitigates the issue, since any elevation of privilege to root level will be temporary, and any exploit for this issue would be unable to gain a persistent root,” the spokesperson added.

“BlackBerry is not aware of any exploits for this vulnerability in the wild, and does not believe that any customers are currently at risk from this issue.”


Sony Xperia XA

  • Key handset at risk: Xperia Z Ultra
  • Fix status: working to make patches available

Meanwhile Sony is working on getting patches ready for its fleet of Qualcomm-powered smartphones, with a spokesperson telling TechRadar: “Sony Mobile takes the security and privacy of customer data very seriously.

“We are aware of the ‘QuadRooter’ vulnerability, and are working to make the security patches available within normal and regular software maintenance, both directly to open-market devices and via our carrier partners, so timings can vary by region and/or operator.

“Users can take steps to protect themselves by only downloading trusted applications from reputable application stores.”


Motorola Moto X

  • Key handset at risk: Moto X
  • Fix status: can already be avoided

There’s good news from Motorola, with the Lenovo-owned firm providing a solution which all Android users can take advantage of.

A spokesperson told us “Recently a potential security vulnerability, Quadrooter was discovered in certain Android devices. This potential vulnerability can only be exploited if a user disables the built in Android security measure and downloads a malicious application.

“For more information on how to ensure this is disabled, this link is helpful for consumers.”


HTC 10

  • Key handsets at risk: HTC 10, One M9
  • Fix status: investigating reports

All we have so far from the Taiwanese firm is a short, sweet statement from a spokesperson saying “HTC takes customer security very seriously. We are aware of these reports and are investigating them.”

We’re hoping for more information from HTC very soon.


We’re waiting for Samsung to get back to us with a comment on the QuadRooter vulnerability.


We’re waiting for LG to get back to us with a comment on the QuadRooter vulnerability.


A OnePlus spokesperson told us: “Security is a top priority for OnePlus. The relevant security patches will be included in the next OTAs (Over The Air updates) for all OnePlus devices.”

Article continues below


Source link

Leave a Reply