Headlines warn that a new Android vulnerability could expose 900 million devices. Find out the truth about QuadRooter, and what you can do to protect yourself.
Last week, headlines blared that 900 million Android smartphones and tablets were at risk for newly discovered vulnerabilities dubbed QuadRooter. Researchers at Check Point said that four vulnerabilities affect Android devices built using Qualcomm chipsets.
“If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device,” Check Point wrote in a blog post.
“Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.”
Most likely. Some of the most popular Android devices are affected: Google Nexus 5X, 6 and 6P, Samsung Galaxy S7 and S7 Edge, Sony Xperia Z Ultra, HTC One M9 and HTC 10, LG G4, G5 and V10, to list a few.
Check Point created an app that tells you if your device is affected. Download the QuadRooter Scanner for free from Google Play.
From April to July, Qualcomm developed and released patches for all four vulnerabilities and provided them to their customers, partners and the open source community of developers.
Google says that three of the four issues are already patched in their Nexus devices, while the fourth will be patched in the next security update.
“Nexus devices already have protections for 3 of the 4 issues. We are currently working on an update to Nexus devices to fix the remaining issue (CVE-2016-5340). Patches for all supported Nexus devices will be delivered over the air by early September," wrote a representative of Google's mobile divisions in an email to Avast mobile security researcher Filip Chytrý.
"For the broader Android ecosystem, all Android devices with a patch string of Sept 6, 2016 (or greater) must include these fixes. In addition, we are updating Google Play, Verify Apps, and Safety Net to provide users with another layer of protection. Exploitation of these issues depends on users downloading and installing a malicious application. So far, we have seen no evidence of exploitation of these issues.”
The fragmentation of the Android operating system means that users will get patches at different times, based on when the device manufacturers and mobile operators push them out.
“So, technically, yes, you should worry,” says Chytrý. “It’s not possible to push updates to all devices worldwide. There are too many versions which need to be fixed and it’s sure that they are not going to fix all of them.”
“The scariest thing about QuadRooter is it can pass the Google Play security service “bouncer“ so if you are hacker you can upload a new unknown app directly to Google Play to get root access of user devices. Then you can do whatever you want with those devices,” said Chytrý.
Mobile hackers use vulnerabilities that make enterprise devices especially vulnerable. Using the QuadRooter vulnerability, hackers can potentially take complete control of devices and have unrestricted access to sensitive personal and enterprise data on them.
Having virtual mobile infrastructure in place will protect corporate apps and data stored on personal BYOD mobile devices.
“Even if a user had a device that was compromised by QuadRooter, the virtualized version of Android would continue to operate unaffected by the attack, and the customer’s applications and data would remain secure because they were being run and stored on a remote server outside the device,” wrote Pablo Sole on the Avast Virtual Mobile Platform blog.
Learn what Avast Virtual Mobile Platform can do for your company.
Yes, Avast Mobile Security can detect new apps using this vulnerability.
Hundreds of millions of user records have been put up for sale on the dark web by a data breach broker who claims the information comes from 14 companies hacked in 2020.
Law enforcement and public safety agencies share threat information insecurely through a third-party hosting provider that was breached in mid-June.