900 Million Android Phones May Have Security Issues

Since 1993, DEF CON has been holding its annual hacker conventions in Las Vegas. As one of the largest such conventions in the world, security companies like Trust Guard share information about the security (and lack thereof) with online and mobile devices and apps.

2016 was no different. This year computer security firm Check Point and its mobile threat research team revealed details of what it says are a set of “four vulnerabilities affecting 900 million Android smartphones and tablets that use Qualcomm® chipsets.” They call the set of vulnerabilities QuadRooter.

The company says the security flaws could give attackers complete access to a phone’s data and those flaws have been found in software used on tens of millions of Android devices. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. Its processors are found in about 900 million Android phones. The company says there is no evidence of the security vulnerabilities being used at present in attacks by cyber thieves. However, if any of the four vulnerabilities are exploited, an attacker can trigger “privilege escalations for the purpose of gaining root access to a device,” according to Check Point.

Some of the latest and most popular Android devices found on the market today use these Qualcomm chipsets, including:

BlackBerry Priv
Blackphone 1 and Blackphone 2
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra

How are Android devices exposed to this vulnerability?

Check Point says an attacker can exploit these security vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, removing any suspicion users may have when installing the app.

What Android devices are at risk?

QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets. The drivers, which control communication between chipset components, become incorporated into the Android “builds” that manufacturers develop for their devices. Check Point says that since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

The company says on its website, “This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.”

Michael Shaulov, who works as head of mobility product management at Check Point, said that it took six months of work to reverse engineer Qualcomm’s code to reveal the vulnerabilities. Now that the issues have been found and discussed in public, it won’t take more than a few months for hackers to use those security holes to access Android smartphones. He says, “It’s always a race as to who finds the bug first, whether it’s the good guys or the bad.”

This type of extensive security problem shows how vulnerable our mobile devices are to security threats from hackers. All it takes is to download the wrong app and, often without even realizing it, our personally identifiable information will have been hacked. If you are using one of the above devices, we suggest you go to your phone distributor or carrier to get the patch to fix the security hole as soon as possible.

Special thanks to Sky Valley Chronicle for much of the information about the vulnerabilities found.