​Quadrooter - four Qualcomm bugs that leave your Android phone completely rooted

If you haven’t received the latest security patches from Google, your Android phone is almost certainly vulnerable to one of the so-called ‘Quadrooter' bugs that affects nearly every Android device on earth.

Security firm Check Point has revealed four significant vulnerabilities in Qualcomm chips that run as many as 900 million Android devices, including newer devices which prioritise faster patching and enhanced security features.

Among the affected devices include BlackBerry's Priv, Silent Circle's Blackphone, and Google’s Nexus devices, including the 5X, 6, and 6P. Also affected are the HTC One, HTC M9 and HTC 10, LG’s G4 and G5, Motorola’s new Moto X, all OnePlus One flagships, Samsung’s Galaxy S7 and S7 Edge, and Sony’s Xperia Z Ultra.

Fortunately, an attacker can only exploit these Quadrooter bugs if they can dupe a victim into installing a malicious app. That’s a significantly higher barrier to exploitation than Stagefright, the name for a set of bugs affecting a key Android media system discovered last year. These bugs only required a specially crafted MMS message to remotely gain control of a vulnerable device; users didn't need to do anything beyond opening a message to become infected.

Quadrooter bugs still have fangs though. As Check Point notes, if a malicious app is installed, Quadrooter bugs would not need special permissions to exploit bugs that reside in the drivers for Qualcomm’s chipsets. Additionally, patching the Qualcomm bugs will be a circuitous affair. First, Qualcomm needs to release a patch for the bugs, then handset makers and carriers need to distribute them — and they're two groups that have an appalling record for distributing Android security patches. If all this happens, device owners will then need to install the patch.

That said, Google last week issued a patch for one of the four bugs, CVE-2016-2504, which relates to flaw in the kernel graphics driver. The advisory for Google’s August Android security bulletin was dominated by fixes for bugs in chipset drivers, most of which addressed Qualcomm driver bugs. Google appears to have doubled down on hardware driver bugs in the past two months. Google has addressed so many hardware driver bugs in the past two monthly updates that it split each patch level into two streams. This was to help device makers and carriers fix the most urgent bugs faster.

The other bugs Check Point revealed included CVE-2016-2059 affecting a Qualcomm kernel module for the router; CVE-2016-5340, an Android subsystem flaw present in devices that rely on Qualcomm chipsets; and CVE-2016-2503, which is related to the bug Google fixed.

Bugs in Qualcomm drivers are important for Android security since it is the number one LTE chipset provider to the smartphone market.

Google began rolling out monthly security updates for Android shortly after the first Stagefright bugs were revealed last July.

The Federal Communications Commission and the Federal Trade Commission this year commenced an industry probe of smartphone patching to discover why some devices never receive security updates. The authorities cited Stagefright as one of the reasons for the investigation.

Google’s monthly security update program only covers devices that are newer than Android 4.4, the version Google released in 2013. Google’s snapshot of Android at beginning of August indicates it was providing patches that covered 80 percent of all Android devices that connected to its app store. But, since Google does not control the mechanism from it to end-user devices, it’s not known what proportion of Android handsets actually receive its patches.

Tags AndroidIT Securitysecurity patchesCheck Point Software Technologiesbugs and security failuresQuadrooter bugs

Show Comments