A set of security vulnerabilities in Qualcomm chipsets has put 900 million Android smartphones and tablets at risk of being taken over by hackers, according to researchers at security technology vendor Check Point Software Technologies.
At the DefCon 24 show in Las Vegas on Aug. 7 and in a post on the company blog, Adam Donenfeld, a security researcher with Check Point outlined four vulnerabilities that he has pulled together under the name QuadRooter. The security flaws in the Qualcomm chipsets open up the Android devices to being taken over by hackers who can gain control and unrestricted access to personal and corporate information on them, Donenfeld wrote in the blog post.
Check Point reported the vulnerabilities to Qualcomm between February and April, and the vendor has released fixes for all four. However, Qualcomm’s position as the world’s largest mobile chip maker has put a wide range of devices at risk, and the fragmented nature of the Android market presents challenges to ensuring that all the smartphones and tablets can be protected in a timely fashion.
“QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets,” Donenfeld wrote. “Qualcomm is the world’s leading designer of LTE chipsets with a 65 percent share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. … If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.”
In a statement to journalists, Qualcomm officials said the company had “made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.”
According to Check Point officials, the vulnerabilities are in the software drivers in the chipsets, so any Android devices using the chipsets are exposed. The drivers control communications between components on the chipset, Donenfeld wrote. A problem is that because these vulnerable chipsets are built into the smartphones and tablets before they ship, they can only be fixed by installing a software patch from the device maker or carrier. Those companies get the patches through fixed driver packs from Qualcomm.
“This situation highlights the inherent risks in the Android security model,” Donenfeld wrote. “Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.”
At the same time, older devices that no longer are supported may not get the update.
According to Check Point, an attacker can exploit the vulnerabilities by using a malicious app that doesn’t need any special permissions, which may reduce the suspicion of any users considering downloading it.
Check Point has released a free scanner app in the Android Play store that end users can employ to see if their devices are at risk to from the QuadRooter vulnerabilities. Devices that use these chipsets from Qualcomm include Google’s Nexus 5X, Nexus 6 and Nexus 6P; HTC’s One, M9 and 10; the G4, G5 and V10 from LG Electronics; Samsung’s Galaxy S7 and S7 Edge; and Sony’s Xperia Z Ultra, according to Check Point.
Check Point is urging users to download and install the latest Android updates as soon as they become available and to examine any app installation request carefully before accepting it to ensure that it’s legitimate. In addition, users should only download apps on Google Play and avoid apps found on third-party sites, and they should only use trusted WiFi networks or—when traveling—only use those that can be verified as coming from a trustworthy source.