We all know Android is vulnerable, but how vulnerable is it really? 2016 has already seen a bunch of security flaws in the popular mobile operating system. And some of them are quite serious! Just a couple of days ago Check Point researchers disclosed a particular set of flaws, which immediately topped the charts in terms of severity and scope. Even Android Marshmallow is affected. Millions of devices are endangered by the so-called QuadRooter set of vulnerabilities, over 900 million, to be precise.
More about the QuadRooter Vulnerabilities in Android
QuadRooter consists of four flaws affecting Android devices built using the Qualcomm chipsets. If exploited, all four of the vulnerabilities could allow an attacked to trigger privilege escalation and gain root access to the targeted device.
Devices Affected by QuadRooter
The QuadRooter vulnerabilities are located in software drivers that ship with Qualcomm chipsets. Basically, any Android device built with these chipsets is endangered. “The drivers, which control communication between chipset components, become incorporated into Android builds manufacturers develop for their devices“, researchers explain.
Because the drivers are pre-installed during manufacture, they can only be fixed by applying a patch from the distributor (or carrier). Moreover, distributors can issue patched only after getting fixed driver packs from Qualcomm. Patching Android is definitely not a simple task!
This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.
Here is a list of the popular Android devices using the Qualcomm chipsets:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
How Can QuadRooter Vulnerabilities Be Exploited?
CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340
- CVE-2016-2503 is discovered in Qualcomm’s GPU driver and is now fixed in Google’s Android Security Bulletin for July 2016.
- CVE-2016-2504 is located in Qualcomm GPU driver and is fixed in Google’s Android Security Bulletin for August 2016.
- CVE-2016-2059 is found in Qualcomm kernel module and is fixed in April, the patch status still appears unknown.
- CVE-2016-5340 is found in Qualcomm GPU driver and should be fixed, but the patch status is unknown.
An attacker can exploit all four of the QuadRooter flaws via a malicious app. The worst part is that such an app would not require special permissions to directly exploit the vulnerabilities, and thus the user will not be suspicious and will process with installing it.
Check Point’s report highlights the fact that vulnerabilities as severe as QuadRooter may be very difficult to fix but they also bring the unique challenge of securing Android devices:
- Fragmentation is somewhat responsible for keeping Android devices secure despite the complex supply chain.
- The development and deployment of security patches takes a lot of time and effort, and it shouldn’t leave users unprotected for unknown period of time.
- There are devices that can’t support the latest Android versions which makes it impossible for them to receive crucial security updates and leaves them open to exploits.
- End-users should be fully informed about the risks of using mobile devices and networks, rooting and downloading from unknown sources. The risk of public Wi-Fi shouldn’t be underestimated as well.
- On one hand, the end-user’s PII is threatened, but also any other piece of information (like business) located on the device becomes vulnerable.
Security Tips for Android Devices
Android is vulnerable and end-users should be as prepared for issues as they are with their desktop machines. Here are several security tips to always keep in mind:
- You wouldn’t leave your Windows without its mandatory security fixes, would you? You should never skip an Android security update, too!
- Rooting your device hides certain risks –evaluate them before ever considering to do it.
- Stay away from side-loading Android apps (.APK files) or downloading apps from third-party sources. Only download from Google Play, but always keep in mind that malicious apps can sneak in there, too.
- Never forget to carefully read the app permissions. If an app seems suspicious, it most likely is! Be careful with apps that ask for unusual or unnecessary permissions or such that use large amounts of data or battery life.
- Use known, trusted Wi-Fi networks. When on a trip, exclusively use only networks that are verified.
- Consider installing AV protection on your Android that will detect suspicious behavior on your device, like malware hiding in installed apps.