Industry News

900 million Android devices exposed by QuadRooter vulnerability quartet

Four vulnerabilities in Qualcomm chipsets allow attackers root-level access to any Android device running Android Marshmallow and earlier, according to security researchers.

Qualcomm chipsets come pre-installed on mobile phones, and as part of processors, allow users to enjoy device functionalities such as movie streaming, playing games, making video calls or watching videos.

The four security vulnerabilities are:

  • CVE-2016-2503 found in Qualcomm’s GPU driver and fixed in Google’s Android Security Bulletin for July 2016.
  • CVE-2016-2504 discovered in Qualcomm’s GPU driver and fixed in Google’s Android Security Bulletin for August 2016.
  • CVE-2016-2059 found in Qualcomm kernel module and fixed in April, though patch status is unknown.
  • CVE-2016-5340 presented in Qualcomm GPU driver and fixed, but patch status unknown.

To exploit them, an attack can be carried out through a malicious app. The attacker needs to trick a user into installing a malicious app that, unlike other malware, would execute without requiring any special permission checks. If the attack is successful, the perpetrator gets full access to the device (camera, microphone etc.) and its contents (photos, contacts list etc.)

These are some of the most popular smartphone models affected by one or more Quadrooter vulnerabilities:

  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • Blackphone 1 and Blackphone 2
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • BlackBerry Priv

The only solution is to update mobile software as soon as it’s available.

“This situation highlights the inherent risks in the Android security model,” the researchers say. “Critical security updates must pass through the entire supply chain before they can be made available to end users.”

The chipmaker said to have fixed all of the flaws and issued patches to customers, partners, and the open source community between April and the end of July. Also, three of the four vulnerabilities have already been fixed in Google’s latest set of monthly security updates, and a patch for the remaining flaw will be rolled out in the upcoming September update.

To see if your device is vulnerable, you can download the free QuadRooter scanner app, available here.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.


Click here to post a comment
  • Not only in those devices but also after a scan with QuadRooter Scanner I found it in my Samsung E5 .
    As far I'm concerned there is still a possibility of Samsung release theMarshmallow update to these model devices..but ..if not ? How can we fix it and improve our device security ??
    Hello SAMSUNG !!!

    • Most Android users should already be protected from this problem (according to Google):

      “We appreciate Check Point’s research as it helps improve the safety of the broader mobile ecosystem. Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided. Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these.“ – Google