Google fixes critical security flaw affecting over 900 million Android devices

BlackBerry is the first major phone maker to patch QuadRooter exploits

quadrooter exploit qualcomm chips android devices flaw
At the Defcon security conference in Las Vegas last week, Israeli cybersecurity firm Check Point detailed a new bug, dubbed “Quadrooter,” that resides within the firmware of a Qualcomm chip contained in more than 900 million devices.

Now it looks as though Google has addressed the last two flaws that relate to this set of vulnerabilities.

Check Point previously said that the vulnerability could, in skilled hands, cede “complete control” of a smartphone or tablet to nefarious programmers. Specifically, it could allow a malicious app to bypass Android’s built-in security measures and grant itself administrative privileges, a level of access that entails the ability to collect “sensitive personal and enterprise data.”

The flaw required a would-be victim to install a malicious app — infected code posing as a legitimate update, for instance, or a pirated version of a paid application. Crucially, that precluded apps distributed through Google’s Play Store, which Google regularly scans for malware. Apps infected with Quadrooter’s delivery mechanism would have to be installed manually by toggling the “Unknown Applications” setting in Android’s settings menu.

It also likely required that users disable Android’s “Verify Apps” feature, a malware filter that scans for known vulnerabilities in apps — including those installed manually, outside of the Play Store’s walled garden — at installation time.

When the flaw was first unveiled, a Google spokesperson confirmed as much in a statement to Android Central: “We appreciate Check Point’s research as it helps improve the safety of the broader mobile ecosystem. … Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these.”

Android Central notes that the protection has been enabled by default in all Android versions since 4.2 Jelly Bean in 2012, and that it’s frequently updated with new virus definitions via Google Play Services, the Android framework responsible for delivering Google app updates. Google also conducts security scans of Android phones about “once per week” by default and can, in some cases, uninstall infected applications from handsets remotely.

Check Point discovered four specific vulnerability’s in Qualcomm’s firmware, said Adam Donefeld, the firm’s lead mobile security researcher. The firm hasn’t observed any exploits “in the wild,” as of yet, but expects to “in the next three to four months.” Check Point published a preliminary list of affected devices:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6, and Nexus 6P
  • HTC One, HTC M9, and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2, and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

A Qualcomm spokesperson told ZDNet that it issued patches to “customers, partners, and the open source community” between April and the end of July. Google, for its part, said that “most” of the fixes had been rolled into Android’s monthly security update — the collection of firmware fixes that the company makes available to its Android partners.

Google’s latest fix, issued Tuesday, came after a number of phone makers issued patches of their own.

Sony, for example, says worked its patch into “normal and regular software maintenance, both directly to open-market devices and via our carrier partners, so timings can vary by region and or operator.” Meaning the company isn’t rushing the fix out immediately, according to the Xperia Blog, and knowing how long it takes carriers to update devices, it’s likely that we won’t see this fix in Sony devices for a few months.

Some, though, like BlackBerry, have taken a more proactive approach. The company announced a couple weeks ago that it had issued a patch for the Priv and DTEK50 addressing “three of the four vulnerabilities” uncovered by Check Point. The fourth issue, it said, is “naturally mitigated” by both devices’ secure boot chain. “We don’t think any of our customers are currently at risk from this issue,” Alexa Manea, director of BlackBerry Security, wrote in a blog post. “This is a great example of how our Android platform hardening proactively protects against issues that haven’t even been discovered yet.”

Check Point said the nature of the exploit highlights the difficulty in ensuring that Android devices, oversight of which typically involves at least a handful of parties, remain inoculated against new threats. “This situation highlights the inherent risks in the Android security model,” the firm stated in its report. “Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end user must then be sure to install these updates to protect their devices and data.”

It’s a problem exacerbated when some partners refuse to play ball. Lenovo caused a stir when it implied in a recent statement that the Moto Z, its new flagship phone in the U.S., wouldn’t be receiving monthly security patches. The company has since clarified its stance, but the issue of infrequent, incomplete, or otherwise haphazard security updates has prompted activity at the federal level. The Federal Trade Commission and the Federal Communications Commission are compiling a report, due out later this year, about the decision process involved in “[patching] a vulnerability on a particular mobile device.”

The Quadrooter report follows the discovery of two major Android vulnerabilities in the past year, Stagefright and Fake ID. The former, a fix for which is scheduled for September, tapped into bugged code within Android’s multimedia playback and allowed apps to gain administrative access. The latter, meanwhile, let malicious apps assume the identity of legitimate software. A patch was issued in late July.

This article was originally published on 08-08-2016.

Updated on 08-16-2016 by Kyle Wiggers: Added news about BlackBerry’s patch for the exploit.

Updated on 09-07-2016 by Kyle Wiggers: Added news about Google’s final fixes to the exploit.

Smart Home

Man claims hacker talked to him through his Nest security camera

An Arizona man claims a white hat hacker was able to communicate with him through a hacked Nest Cam IQ internet-connected security camera and warn him about a vulnerability in the device.
Mobile

Put down the controller and pick up the best phones for gaming on the go

Which phones are the best if all you want to do is play some mobile games? We've done the hard work and put together a list of the best gaming phones on Android and iOS, so you can keep playing and winning.
Mobile

Android 9.0 updates to stretch into 2019 — will your phone get a slice of Pie?

Android 9.0 Pie has been released. But is your phone getting Android 9.0 Pie, and if so, when? We've done the hard work and asked every device manufacturer to see when their devices would be getting the update.
Computing

Microsoft blocks optional Windows 10 update that bricked Surface Book 2 devices

The Windows 10 problems just keep on coming. Microsoft is now pulling back an optional monthly cumulative update that recently bricked and rendered some Surface Book 2 devices useless.
Mobile

On a budget? We found the best affordable smartphones you can buy

Here are the best cheap phones for anyone working with a tight budget, whether you're a fan of stock Android or marathon battery life. Find out what you can get for under $500 or far, far less as we round up the best budget smartphones.
Home Theater

Set your ears free with the best completely wireless earbuds

If you can't stand the tangle of cords, or you're just excited about completely wireless earbuds, you're going to need some help separating the wheat from the chaff. Our list serves up the best wireless earbuds around.
Deals

REI clearance sale extends discounts on Garmin, Fitbit, and GoPro devices

Beyond the things you typically expect to find at REI — like tents, skis, and jackets — there are tons of great deals on quality tech foryour outdoor adventures. From smartwatches to action cameras, here are the best tech deals.
Social Media

#ThrowbackThursday is only the start: Instagram hashtags for every day of the week

Not getting your hashtag fill with #ThrowbackThursday or #ManCrushMonday? Here's a list of some of the more popular Instagram hashtags, so you can outfit your next post with the proper tag, regardless of what day it is.
Mobile

Protect your new iPhone with one of our favorite iPhone XR cases

Apple's new iPhone range is the toast of 2018, with beautiful style and more power than you can shake a stick at. But beauty can often be fragile -- keep the damage to a minimum with the best iPhone XR cases.
Computing

A dead pixel doesn't mean a dead display. Here's how to repair it

Dead pixel got you down? We don't blame you. Check out our guide on how to fix a dead pixel and save yourself that costly screen replacement or an unwanted trip to your local repair shop.
Mobile

Apple's iOS 12.1.1 makes it easier to switch cameras in FaceTime

After months of betas, the final version of iOS 12 is here to download. The latest OS comes along with tons of new capabilities, from grouped notifications to Siri Shortcuts. Here are all the features you'll find in iOS 12.
Mobile

5G Coverage

Curious about 5G and what it means for you? Well here is our awesome one stop shop for all things 5g.
Social Media

Instagram could be making a special type of account for influencers

Instagram influencers fall somewhere between a business profile and a typical Instagram, so the company is working on developing a type of account just for creators. The new account type would give creators more access to analytical data.
Mobile

The Galaxy A8s is Samsung's first with a hole-punch camera cutout

Samsung is building exciting, technologically innovative midrange phones, and the latest to be revealed is the new Samsung Galaxy A8s, which may give us an idea of what the new Samsung Galaxy S10 will look like.