Four major security flaws have left around 900 million Android devices - including many of the latest flagships - vulnerable to attacks.
According to security researchers at Check Point, the vulnerabilities - which it collectively refers to as 'QuadRooter' - affect Android phones and tablets with Qualcomm chipsets. "If any one of the four vulnerabilities is exploited," Check Point's Mobile Threat Research Team said, "an attacker can trigger privilege escalations for the purpose of gaining root access to a device."
A malicious app would be able to target these security flaws without requiring special permissions to do so, potentially leaving users oblivious to an attacker gaining unrestricted access to personal data, and even sensitive corporate information. This could even include installing keylogging software on a device, as well as being able to activate the camera and microphone without the user's knowledge.
QuadRooter vulnerabilities affect a wide range of devices, including some that have been specifically marketed as offering superior security or privacy protections, such as the BlackBerry Priv, along with the Blackphone 2 and its predecessor.
Emphasizing that even many of the newest premium devices have been affected, Check Point also highlighted these examples:
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
Check Point said that it disclosed details of QuadRooter to Qualcomm in April - giving the chip-maker the 'industry-standard' 90 days to allow it to create patches - before making its findings public. Qualcomm identified all of the vulnerabilities as 'high risk', and has since released patches to its device-manufacturing partners.
But as Check Point notes, that's far from the end of the story, as those patches still need to make their way to the hundreds of millions of affected devices. Indeed, it stressed that "this situation highlights the inherent risks in the Android security model", adding:
Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.
The problem is that this whole process often takes far too long to complete, leaving devices - and their users' data - potentially vulnerable to attack in the interim. Check Point explained:
Suppliers, like chipset makers, provide the hardware and software modules needed to manufacture smartphones and tables.
Original equipment manufacturers (OEMs) combine these software modules, Android builds from Google, and their own customizations to create a unique Android build for a particular device.
Distributors resell the devices, often including their own customizations and apps – creating yet another unique Android build.
When patches are required, they must flow through this supply chain before making it onto an end user’s device. That process often takes weeks or even months.
Many Android manufacturers only deliver updates to their devices for a couple of years, and even some of the largest firms don't appear to recognize the need for urgency in patching security flaws as quickly as possible.
Motorola, for example, recently said that it would not commit to delivering monthly Android security updates because it's too "difficult" to do so, and "most efficient" for the company to deliver those patches less frequently. But in failing to meet that challenge, Motorola is leaving even its newest devices without the latest security protections for months at a time, despite other manufacturers having no problem releasing these patches on a monthly basis.
Michael Shaulov, head of mobility product management at Check Point, told BBC News that Android device owners "should call whoever sold them their phone, their operator or the manufacturer, and beg them for the patches" to fix the QuadRooter vulnerabilities.
Check Point has released a free app on the Google Play Store that can scan for the vulnerabilities, and check whether or not they've been patched. A detailed analysis of QuadRooter, including technical information, is available in a free whitepaper, available to download here.
QuadRooter follows the disclosure in May of another vulnerability associated with Qualcomm chips on Android devices running version 4.3 Jelly Bean or earlier. Given the age of those affected devices, few of them are likely to ever be patched.
Source: Check Point