Enterprise security vendor Check Point has disclosed details about a set of four vulnerabilities affecting 900 million Android smartphones and tablets that use Qualcomm LTE chipsets. It calls the set QuadRooter and presented its findings at DEF CON 24 in Las Vegas.
Before you say it is Android’s fault – it is not. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.
In theory, an attacker would simply have to use a malicious app requiring no special permissions to exploit the security holes. QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording of video and audio.
Some of the latest Android devices use these chipsets, including:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
The problem is that these vulnerabilities are closely linked to the chip design. New device drivers will need to be developed and will need to be incorporated into the version of Android on each affected device, tested by carriers, and finally rolled out. In other words, the entire supply chain from chip to the carrier needs to co-operate, then users need to install the patches – a big ask.
Check Point has provided advice on Android security
- Download and install the latest Android updates as soon as they become available. These include important security updates that help keep your device and data protected.
- Understand the risks of rooting your device – either intentionally or as a result of an attack.
- Examine carefully any app installation request before accepting it to make sure it’s legitimate.
- Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by downloading apps only from Google Play.
- Read permission requests carefully when installing any apps. Be wary of apps that ask for permissions that seem unusual or unnecessary or that use large amounts of data or battery life.
- Use known, trusted Wi-Fi networks.
- End users and enterprises should consider using mobile security solutions designed to detect suspicious behaviour on a device, including malware that could be obfuscated within installed apps.
It has provided an app to check if a device is at risk: Use the tool here.