Categories: MobilitySecurity

900 Million Android Devices ‘Vulnerable To Attack’

Researchers said they have uncovered a set of bugs in the Android mobile operating system that leave hundreds of millions of devices open to attack.

The bugs, affecting Android devices using Qualcomm chipsets, could allow seemingly innocuous apps to take control of a device and access any data held on it, according to IT security firm Check Point, which discovered the flaws.

Patching difficult

The issues affect the software drivers that control communication between processor components, which makes fixing them more difficult, since patches must be supplied by Qualcomm to device makers and then distributed to end users, Check Point said.

Any of the estimated 900 million Android devices using Qualcomm chips could be vulnerable to attacks until they are patched, researchers said.

“This situation highlights the inherent risks in the Android security model,” Check Point said in an advisory. “Critical security updates must pass through the entire supply chain before they can be made available to end users.”

Some of the devices affected include the BlackBerry Priv, the Blackphone 1 and Blackphone 2, Google Nexus 5X, Nexus 6 and Nexus 6P, HTC One, HTC M9 and HTC 10, LG G4, LG G5, and LG V10, New Moto X by Motorola, OnePlus One, OnePlus 2 and OnePlus 3, Samsung Galaxy S7 and Samsung S7 Edge and Sony Xperia Z Ultra, Check Point said.

Malicious app

Check Point said the set of four bugs, which it calls QuadRooter, could be exploited via a malicious app.

“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” the firm stated.

Users would be unlikely to know a breach had taken place without the use of security tools that could detect suspicious activity on their devices.

Check Point advised users to avoid third-party app stores and Wi-Fi networks from unknown providers and to keep their devices up to date.

Malicious apps are regularly found even on official app stores, however, and in this case devices might not yet have a patch available, Check Point pointed out. The firm said consumer or enterprise-grade security systems can help detect and block malicious code running on Android devices.

The company released a QuadRooter scanner on Google Play that can determine whether a device is running the vulnerable drivers.

Check Point said it provided Qualcomm with information about the bugs earlier this year and believes the company has distributed patches to device makers.

Qualcomm confirmed that it was notified about the vulnerabilities between February and April of this year and said it made patches available to customers, partners, and the open source community between April and July.

The security firm disclosed its findings at the DEF CON 24 conference in Las Vegas.

Apple released an update for its iOS mobile software fixing a similarly critical flaw, two weeks after a separate update for another major security vulnerability in iOS and Mac OS affecting the ImageIO subsystem.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

US Approves SpaceX Starlink For Planes, Trains And … Ships

US FCC regulator gives its official approval for SpaceX to use its Starlink satellite internet…

4 hours ago

Bitcoin Falls Below $19,000, But Recovers Slightly Friday

Ominous sign for crypto markets? The value of Bitcoin dropped over 6 percent to below…

5 hours ago

Meta Slashes Hiring As It Braces For Downturn – Report

CEO Mark Zuckerberg tells staff to brace for a deep economic downturn, as Meta cuts…

6 hours ago

Silicon In Focus Podcast: Connected Business

Is the definition of a ‘connected business’ very different today than it was just two…

8 hours ago

BT Disappointed As CWU Votes To Strike, Despite 5 To 8 Percent Pay Rise

First strike in 35 years after BT staff with the e Communications Workers Union vote…

23 hours ago