Google fixes critical security flaw affecting over 900 million Android devices

BlackBerry is the first major phone maker to patch QuadRooter exploits

quadrooter exploit qualcomm chips android devices flaw
At the Defcon security conference in Las Vegas last week, Israeli cybersecurity firm Check Point detailed a new bug, dubbed “Quadrooter,” that resides within the firmware of a Qualcomm chip contained in more than 900 million devices.

Now it looks as though Google has addressed the last two flaws that relate to this set of vulnerabilities.

Check Point previously said that the vulnerability could, in skilled hands, cede “complete control” of a smartphone or tablet to nefarious programmers. Specifically, it could allow a malicious app to bypass Android’s built-in security measures and grant itself administrative privileges, a level of access that entails the ability to collect “sensitive personal and enterprise data.”

The flaw required a would-be victim to install a malicious app — infected code posing as a legitimate update, for instance, or a pirated version of a paid application. Crucially, that precluded apps distributed through Google’s Play Store, which Google regularly scans for malware. Apps infected with Quadrooter’s delivery mechanism would have to be installed manually by toggling the “Unknown Applications” setting in Android’s settings menu.

It also likely required that users disable Android’s “Verify Apps” feature, a malware filter that scans for known vulnerabilities in apps — including those installed manually, outside of the Play Store’s walled garden — at installation time.

When the flaw was first unveiled, a Google spokesperson confirmed as much in a statement to Android Central: “We appreciate Check Point’s research as it helps improve the safety of the broader mobile ecosystem. … Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these.”

Android Central notes that the protection has been enabled by default in all Android versions since 4.2 Jelly Bean in 2012, and that it’s frequently updated with new virus definitions via Google Play Services, the Android framework responsible for delivering Google app updates. Google also conducts security scans of Android phones about “once per week” by default and can, in some cases, uninstall infected applications from handsets remotely.

Check Point discovered four specific vulnerability’s in Qualcomm’s firmware, said Adam Donefeld, the firm’s lead mobile security researcher. The firm hasn’t observed any exploits “in the wild,” as of yet, but expects to “in the next three to four months.” Check Point published a preliminary list of affected devices:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6, and Nexus 6P
  • HTC One, HTC M9, and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2, and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

A Qualcomm spokesperson told ZDNet that it issued patches to “customers, partners, and the open source community” between April and the end of July. Google, for its part, said that “most” of the fixes had been rolled into Android’s monthly security update — the collection of firmware fixes that the company makes available to its Android partners.

Google’s latest fix, issued Tuesday, came after a number of phone makers issued patches of their own.

Sony, for example, says worked its patch into “normal and regular software maintenance, both directly to open-market devices and via our carrier partners, so timings can vary by region and or operator.” Meaning the company isn’t rushing the fix out immediately, according to the Xperia Blog, and knowing how long it takes carriers to update devices, it’s likely that we won’t see this fix in Sony devices for a few months.

Some, though, like BlackBerry, have taken a more proactive approach. The company announced a couple weeks ago that it had issued a patch for the Priv and DTEK50 addressing “three of the four vulnerabilities” uncovered by Check Point. The fourth issue, it said, is “naturally mitigated” by both devices’ secure boot chain. “We don’t think any of our customers are currently at risk from this issue,” Alexa Manea, director of BlackBerry Security, wrote in a blog post. “This is a great example of how our Android platform hardening proactively protects against issues that haven’t even been discovered yet.”

Check Point said the nature of the exploit highlights the difficulty in ensuring that Android devices, oversight of which typically involves at least a handful of parties, remain inoculated against new threats. “This situation highlights the inherent risks in the Android security model,” the firm stated in its report. “Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end user must then be sure to install these updates to protect their devices and data.”

It’s a problem exacerbated when some partners refuse to play ball. Lenovo caused a stir when it implied in a recent statement that the Moto Z, its new flagship phone in the U.S., wouldn’t be receiving monthly security patches. The company has since clarified its stance, but the issue of infrequent, incomplete, or otherwise haphazard security updates has prompted activity at the federal level. The Federal Trade Commission and the Federal Communications Commission are compiling a report, due out later this year, about the decision process involved in “[patching] a vulnerability on a particular mobile device.”

The Quadrooter report follows the discovery of two major Android vulnerabilities in the past year, Stagefright and Fake ID. The former, a fix for which is scheduled for September, tapped into bugged code within Android’s multimedia playback and allowed apps to gain administrative access. The latter, meanwhile, let malicious apps assume the identity of legitimate software. A patch was issued in late July.

This article was originally published on 08-08-2016.

Updated on 08-16-2016 by Kyle Wiggers: Added news about BlackBerry’s patch for the exploit.

Updated on 09-07-2016 by Kyle Wiggers: Added news about Google’s final fixes to the exploit.

Computing

Netgear says exploit that led to stolen documents was fixed a long time ago

Hackers were able to steal classified military training and maintenance documents following a breach of a standard Netgear router that still maintained the default administrator password.
Mobile

Google is replacing some Pixel 2 handsets due to faulty rear cameras

Google’s Pixel 2 smartphones have plenty to recommend them, but they’re not perfect. We've rounded up the most common Pixel 2 issues and Pixel 2 XL problems here and identify workarounds or fixes to help you cope with them.
Mobile

We tried all the latest and greatest smartphones to find the best of 2018

Smartphones are perhaps the most important and personal piece of tech on the planet. That’s why it’s important to pick the best phone for your individual needs. Here are the best smartphones you can buy.
Mobile

Apple fixes its battery drain issue with iOS 11.4.1 update

Apple's iOS 11 is the latest version of the company's mobile operating system, but it still has some issues to be worked out. We've searched the internet to find the biggest iOS 11 problems, along with some potential solutions.
Mobile

Fuchsia could eventually replace Android, but it's years away from doing so

Details have emerged about a new operating system Google's developers are working on dubbed Fuchsia OS. Here's everything we know about Google's mysterious new operating system so far.
Mobile

Visual snapshots on Google Assistant provides your day at a glance

Google's artificially intelligent bot, Google Assistant, is available on smart home speakers, smart home devices, iOS and Android phones, and it can do a whole lot of work on your behalf. Here are all of its features.
Mobile

Only Google should be mad about having to change Android

Google has been hit with a massive fine in a landmark antitrust case in Europe, and has been told to change the way it manages its Android operating system, or face a heavier financial hit.
Computing

How to install Windows on a Chromebook

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so, just in case you're looking to nab some Windows-only…
Mobile

How to improve your Android privacy

If you have an Android device and you’re concerned about your privacy, then we have a few tips for you. Learn about the settings you can change to improve your Android privacy and safeguard your personal data.
Computing

Tired of choosing between Windows and Mac? Check out these Chromebooks instead

We've compiled a list of the best Chromebooks -- laptops that combine great battery life, comfortable keyboards, and the performance it takes to run Google's lightweight Chrome OS. From Samsung to Acer, these are the Chromebooks that really…
Mobile

Google’s $5.1 billion antitrust fine could mean the end of free Android

The European Commission has fined Google a record breaking $5.1 billion. The EU is accusing the company of severe antitrust infractions related to the search engine giant's handling of the Android ecosystem.
Computing

Chrome is still our favorite browser (but Firefox is catching up!)

Choosing a web browser for surfing the web can be tough with all the great options you have out there. Here we pit the latest versions of Chrome, Opera, Firefox, Edge, and Vivaldi against one another to find the best browsers for most…
Computing

You can use Chrome OS on a tablet, but it’s not an iPad competitor yet

We took a look at the first Chrome OS tablet to hit the market, the Acer Chromebook Tab 10, to see just how Google's lightweight tablet runs on a touch-only device thanks to a few new tablet-centric features.
Gaming

How to connect your phone to an Xbox One

Microsoft's Xbox app can't do it all, but it does allow you to access your profile information and launch media content directly from your mobile device. Check out our quick guide on how to connect your smartphone to an Xbox One.
Mobile

The world can be your oyster with a little help from the best travel apps around

Traveling doesn't need to be a time-consuming nuisance. Our handpicked selection of the best travel apps will keep things simple, whether you need cost comparisons for hotels or directions to renowned eateries.
Mobile

Garmin’s latest fitness wearables get a workout boost from Gold’s Gym

Owners of Garmin's latest fitness wearables get a workout boost thanks to a new partnership with Gold's Gym that merges Garmin's fitness tracking with the coaching and music of Gold's AMP app.
Mobile

Samsung's Bixby speaker may launch in August at a higher-than-expected price

Samsung's reportedly working on Bixby, a speaker to rival Amazon's Echo, Google Home, and Apple'sHomePod. Here's what we know, including the latest and best estimate info on design, specs, price, and launch date.
Mobile

Here’s how to turn off camera shutter sound on your Android phone

That clicking shutter sound on your Android phone can get annoying if you like to take lots of pictures. Fortunately, you can disable it. We will walk you through how to turn off the camera shutter sound on your Android phone.
Outdoors

The AllTrails app gets even better, adds more details in new map layer

AllTrails updated its app with an all-new map layer that is easier to read, more clearly defines state and national parks around the world, and offers more points of interest for hikers.
Mobile

Samsung patent shows 'hidden display' on Galaxy X foldable smartphone

Samsung has been showcasing bendable display technology for a few years now and a folding smartphone might finally become a reality. The Galaxy X may be the company's first example, and here's everything we know about it.
Mobile

Android Q will likely make its way to the Essential Phone in 2019

The Essential Phone (PH-1) was one of the best-reviewed phones of 2017, and it comes from Andy Rubin, the co-creator of Android itself. It has a striking design with a bezel-less display and the price is now down to $500.
Mobile

The Xiaomi Mi Max 3 has a tablet-sized screen and a huge battery

Do you need a phone that's around the size as your head? Then check out the Xiaomi Mi Max 3, Xiaomi's latest addition to its huge Mi Max range. Here's everything you need to know.