QuadRooter vulnerability affects Android devices


Tuesday, 09 August, 2016

QuadRooter vulnerability affects Android devices

Four newly discovered Android vulnerabilities have been announced by mobile researchers from Check Point Software Technologies Ltd at Def Con 24 in Las Vegas. The vulnerabilities affect more than 900 m Android smartphones and tablets and could provide attackers with complete control of the devices, as well as access to sensitive data.

Check Point calls the set of vulnerabilities QuadRooter. If exploited, they could also provide an attacker with capabilities such as keylogging, GPS tracking and recording video and audio. They are found in the software drivers Qualcomm ships with its chipsets and can be exploited using a malicious app. The app would require no special permissions to take advantage of the vulnerabilities, which means it would not make users suspicious.

Since the vulnerable software drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the device’s distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

Michael Shaulov, head of mobility product management for Check Point, said, “The supply chain is complex, which means every patch must be added to and tested on Android builds for each unique device model affected by the flaws. This process can take months, leaving devices vulnerable in the interim, and users are often not made aware of the risks to their data. The Android security update process is broken and needs to be fixed.”

Check Point researchers provided Qualcomm with information about the vulnerabilities in April 2016. The team then followed the industry-standard disclosure policy (CERT/CC policy) of allowing 90 days for Qualcomm to produce patches before disclosing the vulnerabilities. Qualcomm reviewed these vulnerabilities, classified each as high risk and has since released patches to original equipment manufacturers (OEMs).

Affected devices include Samsung Galaxy S7 & S7 Edge, Sony Xperia Z Ultra, Google Nexus 5X, 6 & 6P, HTC One M9 & HTC 10, LG G4, G5 & V10, Motorola Moto X, OnePlus One, 2 & 3, BlackBerry Priv and Blackphone 1 & 2.

Image credit: ©Duncan Andison/Dollar Photo Club

Related News

Intel announces two AI initiatives

Intel has announced an expansion of its AI PC Acceleration Program with new initiatives aimed at...

GitHub launches code-scanning autofix tool

GitHub's new code-scanning autofix solution uses AI and heuristics to automate the discovery...

Python has become the language of choice for AI devs

Use of Python as a programming language for AI development is outstripping all other languages, a...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd