900 million Android devices exposed by QuadRooter vulnerability quartet

Four vulnerabilities in Qualcomm chipsets allow attackers root-level access to any Android device running Android Marshmallow and earlier, according to security researchers.

Qualcomm chipsets come pre-installed on mobile phones, and as part of processors, allow users to enjoy device functionalities such as movie streaming, playing games, making video calls or watching videos.

The four security vulnerabilities are:

• CVE-2016-2503 found in Qualcomm’s GPU driver and fixed in Google’s Android Security Bulletin for July 2016.
• CVE-2016-2504 discovered in Qualcomm”s GPU driver and fixed in Google’s Android Security Bulletin for August 2016.
• CVE-2016-2059 found in Qualcomm kernel module and fixed in April, though patch status is unknown.
• CVE-2016-5340 presented in Qualcomm GPU driver and fixed, but patch status unknown.

To exploit them, an attack can be carried out through a malicious app. The attacker needs to trick a user into installing a malicious app that, unlike other malware, would execute without requiring any special permission checks. If the attack is successful, the perpetrator gets full access to the device (camera, microphone etc.) and its contents (photos, contacts list etc.)

These are some of the most popular smartphone models affected by one or more Quadrooter vulnerabilities:

• Samsung Galaxy S7 and Samsung S7 Edge
• Sony Xperia Z Ultra
• OnePlus One, OnePlus 2 and OnePlus 3
• Google Nexus 5X, Nexus 6 and Nexus 6P
• Blackphone 1 and Blackphone 2
• HTC One, HTC M9 and HTC 10
• LG G4, LG G5, and LG V10
• New Moto X by Motorola
• BlackBerry Priv

The only solution is to update mobile software as soon as it”s available.

“This situation highlights the inherent risks in the Android security model,” the researchers say. “Critical security updates must pass through the entire supply chain before they can be made available to end users.”

The chipmaker said to have fixed all of the flaws and issued patches to customers, partners, and the open source community between April and the end of July. Also, three of the four vulnerabilities have already been fixed in Google’s latest set of monthly security updates, and a patch for the remaining flaw will be rolled out in the upcoming September update.

To see if your device is vulnerable, you can download the free QuadRooter scanner app, available here.