New Android flaw Quadrooter affects 900 mn devices

09 Aug 2016

Security researchers have reported a new Android flaw that is said to affect roughly 900 million Android devices. The issue was first reported by Israeli cyber security firm Check Point's mobile team which claims that it affects all devices using Qualcomm chipsets.

The flaw dubbed 'QuadRooter', is said to be a set of four vulnerabilities affecting Android devices built on Qualcomm chipsets.

According to the research team, if any one of the four vulnerabilities was exploited, an attacker could trigger privilege escalations for the purpose of gaining root access to a device.

The team added that the QuadRooter vulnerabilities were present in software drivers that shipped with Qualcomm SoCs. "Any Android device built using these chipsets is at risk," Check Point noted.

Qualcomm told ZDNet that customers, partners and the open source community were issued patches between April and the end of July.

Among the biggest concerns with the QuadRooter vulnerability was that the software carrying the bug was pre-installed on devices at the point of manufacture, and could only be fixed via a security patch released by the carrier or distributor.
 
''An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing. Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm,'' the firm wrote in a blog post.

The past year had seen Android OS some nasty  vulnerabilities including Stagefright, CVE-2015-3842 and Google's full-disk encryption flaw, putting compromising Android users' security.

The Register reported that of the four vulnerabilities of QuadRooter, three had already been patched and one was remaining. The patch was expected to arrive as part of Google's monthly security update in September.