Check Point Researchers Uncover ‘Quadrooter’ Vulnerability Affecting Over 900M Android Devices

Four newly discovered Android vulnerabilities can give attackers complete control of devices and access to sensitive data on them

Check Point researchers have announced four new vulnerabilities that affect over 900 million Android smartphones and tablets at the Def Con 2016 security event in Las Vegas.

QuadRooter is a set of four vulnerabilities affecting Android devices that are built on the Qualcomm chipset, a supplier of 80% of the chipsets in the Android ecosystem.  If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device, enabling them to change or remove system-level files, delete or add apps, and access the device’s screen, camera or microphone.

The vulnerabilities are found in the software drivers Qualcomm ships with its chipsets.  An attacker can exploit these vulnerabilities using a malicious app to trigger privilege escalations and gain root access to a device.  This app would require no special permissions to take advantage of the vulnerabilities, which means they would not make users suspicious.

Affected devices include:

• Samsung Galaxy S7 & S7 Edge
• Sony Xperia Z Ultra
• Google Nexus 5X, 6 & 6P
• HTC One M9 & HTC 10
• LG G4, G5 & V10
• Motorola Moto X
• OnePlus One, 2 & 3
• BlackBerry Priv
• Blackphone 1 & 2

Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier.  Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

Check Point has released a free QuadRooter scanner app, available from Google Play, that enables Android users to find out if their device is vulnerable, and prompt them to download patches for the problem.  The download link for the app is:   https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter

Michael Shaulov, head of head of mobility product management for Check Point said:  “Vulnerabilities like QuadRooter bring into focus the unique challenge of securing Android devices, and the data they hold.  The supply chain is complex, which means every patch must be added to and tested on Android builds for each unique device model affected by the flaws.  This process can take months, leaving devices vulnerable in the interim, and users are often not made aware of the risks to their data. The Android security update process is broken and needs to be fixed.”

Check Point recommends the following best practices to help keep Android devices safe from attacks:

• Download and install the latest Android updates as soon as they become available.
• Understand the risks of rooting devices – either intentionally or from an attack
• Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, download apps only from Google Play.
•         Read permission requests when installing any apps carefully. Be wary of apps that ask for permissions that seem unusual or unnecessary, or use large amounts of data or battery life.
• Use known, trusted Wi-Fi networks or while traveling use only those that you can verify are provided by a trustworthy source.
• End users and enterprises should consider using mobile security solutions designed to detect suspicious behavior on a device, including malware that could be obfuscated within installed apps.

Check Point researchers provided Qualcomm with information about the vulnerabilities in April 2016. The team then followed the industry-standard disclosure policy (CERT/CC policy) of allowing 90 days for Qualcomm to produce patches before disclosing the vulnerabilities.   Qualcomm reviewed these vulnerabilities, classified each as high risk, and has since released patches to original equipment manufacturers (OEMs).

The disclosure of the Quadrooter vulnerability follows on from Check Point’s discovery last month that over 85 million Android devices had been infected with the Hummingbad malware, generating an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it.

Full details of the vulnerability, including the link to the free Check Point QuadRooter scanner app, and the detailed research report into the vulnerabilities,is available on the Check Point blog:  http://blog.checkpoint.com/

[su_box title=”About Check Point” style=”noise” box_color=”#336588″][short_info id=’74105′ desc=”true” all=”false”][/su_box]