conejota - Fotolia

900 million Android devices vulnerable to attackers

Enterprises and individuals need to install security updates for all devices with vulnerable Qualcomm chip drivers if they want to ensure attackers can‘t take control of them, warns Check Point

Around 900 million Android devices are vulnerable to cyber attacks that exploit four vulnerabilities in software drivers for Qualcomm chips, according to security researchers.

Any of the four vulnerabilities, collectively dubbed QuadRooter by researchers at security firm Check Point, can be exploited by attackers using a malicious app to trigger privilege escalations and gain root access to the device.  

The app would require no special permissions to take advantage of the vulnerabilities, so users would not have any suspicions aroused, the researchers said at the Def Con 2016 hacker conference in Las Vegas.

“During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems,” said Adam Donenfeld, Check Point senior security researcher.

According to Donenfeld, gaining root access to an Android smartphone or tablet allows attackers to take complete control of the device. They then have the power to change or remove system-level files, delete or add apps, and access the device’s screen, camera, microphone and data.

Read more about mobile security

Check Point said the vulnerabilities affect all Android devices built on the Qualcomm chipset. Qualcomm supplies 80% of the chipsets in the Android ecosystem.

Affected devices include:

  • Samsung Galaxy S7 and S7 Edge
  • Sony Xperia Z Ultra
  • Google Nexus 5X, 6 and 6P
  • HTC One M9 and HTC 10
  • LG G4, G5 and V10
  • Motorola Moto X
  • OnePlus One, 2 and 3
  • BlackBerry Priv
  • Blackphone 1 and 2

"Give that BYOD [bring your own device] is now commonplace, a vulnerability in mobile hardware on this scale could be a huge risk to enterprises,” said Ed Macnair, chief executive officer at security firm CensorNet.

“By having root access to the primary device that many people use on a daily basis for business operations, a hacker basically becomes a superuser.  Having unfettered access to company systems is a few relatively simple steps away,” he said.

According to Macnair, often “ignorance is bliss” for IT security teams with regards to the scale and seriousness of the BYOD problem.  “People need to wake up and monitor all devices running on their networks and what data they are trying to access and share.  Only by doing this, can the risk be negated,” he said. 

Because the vulnerable drivers are pre-installed on devices at the point of manufacture, they can  be fixed only by installing a patch from the distributor or carrier. But distributors and carriers issuing patches can do so only after receiving fixed driver packs from Qualcomm. 

However, Qualcomm has released patches to original equipment manufacturers (OEMs) after Check Point notified the chip company of the vulnerabilities. Check Point followed the industry-standard disclosure policy of allowing 90 days for Qualcomm to produce patches before disclosing the vulnerabilities.  

Check Point has released a free QuadRooter scanner app, available from Google Play, that enables Android users to find out if their device is vulnerable, and prompts them to download patches for the problem. 

To help keep Android devices safe from attacks, Check Point recommends that users and enterprises:

  • Download and install the latest Android updates as soon as they become available.
  • Understand the risks of rooting devices – either intentionally or from an attack.
  • Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources.
  • Read permission requests when installing any apps carefully. Be wary of apps that ask for permissions that seem unusual or unnecessary, or use large amounts of data or battery life.
  • Use known, trusted Wi-Fi networks or, while travelling, only those that you can verify are provided by a trustworthy source.
  • Consider using mobile security solutions designed to detect suspicious behaviour on a device, including malware that could be obfuscated within installed apps.

Read more on Endpoint security