QuadRooter vulnerability affects Android devices

Tuesday, 09 August, 2016

QuadRooter vulnerability affects Android devices

Four newly discovered Android vulnerabilities have been announced by mobile researchers from Check Point Software Technologies Ltd at Def Con 24 in Las Vegas. The vulnerabilities affect more than 900 m Android smartphones and tablets and could provide attackers with complete control of the devices, as well as access to sensitive data.

Check Point calls the set of vulnerabilities QuadRooter. If exploited, they could also provide an attacker with capabilities such as keylogging, GPS tracking and recording video and audio. They are found in the software drivers Qualcomm ships with its chipsets and can be exploited using a malicious app. The app would require no special permissions to take advantage of the vulnerabilities, which means it would not make users suspicious.

Since the vulnerable software drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the device’s distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

Michael Shaulov, head of mobility product management for Check Point, said, “The supply chain is complex, which means every patch must be added to and tested on Android builds for each unique device model affected by the flaws. This process can take months, leaving devices vulnerable in the interim, and users are often not made aware of the risks to their data. The Android security update process is broken and needs to be fixed.”

Check Point researchers provided Qualcomm with information about the vulnerabilities in April 2016. The team then followed the industry-standard disclosure policy (CERT/CC policy) of allowing 90 days for Qualcomm to produce patches before disclosing the vulnerabilities. Qualcomm reviewed these vulnerabilities, classified each as high risk and has since released patches to original equipment manufacturers (OEMs).

Affected devices include Samsung Galaxy S7 & S7 Edge, Sony Xperia Z Ultra, Google Nexus 5X, 6 & 6P, HTC One M9 & HTC 10, LG G4, G5 & V10, Motorola Moto X, OnePlus One, 2 & 3, BlackBerry Priv and Blackphone 1 & 2.

Image credit: ©Duncan Andison/Dollar Photo Club

Related News

Square sets up Melbourne engineering hub

Melbourne will be home to Square's first engineering hub outside of North America.

Queensland hosts robotics conference

The International Conference on Robotics and Automation has commenced in Brisbane.

Govt appoints interim Data Standards body chair

Former IBM Australia managing director Andrew Stevens has been named Interim Chair of the...

  • All content Copyright © 2018 Westwick-Farrow Pty Ltd