900 Million Android Devices ‘Vulnerable To Attack’

Researchers said they have uncovered a set of bugs in the Android mobile operating system that leave hundreds of millions of devices open to attack.

The bugs, affecting Android devices using Qualcomm chipsets, could allow seemingly innocuous apps to take control of a device and access any data held on it, according to IT security firm Check Point, which discovered the flaws.

Patching difficult

The issues affect the software drivers that control communication between processor components, which makes fixing them more difficult, since patches must be supplied by Qualcomm to device makers and then distributed to end users, Check Point said.

Any of the estimated 900 million Android devices using Qualcomm chips could be vulnerable to attacks until they are patched, researchers said.

“This situation highlights the inherent risks in the Android security model,” Check Point said in an advisory. “Critical security updates must pass through the entire supply chain before they can be made available to end users.”

Some of the devices affected include the BlackBerry Priv, the Blackphone 1 and Blackphone 2, Google Nexus 5X, Nexus 6 and Nexus 6P, HTC One, HTC M9 and HTC 10, LG G4, LG G5, and LG V10, New Moto X by Motorola, OnePlus One, OnePlus 2 and OnePlus 3, Samsung Galaxy S7 and Samsung S7 Edge and Sony Xperia Z Ultra, Check Point said.

Malicious app

Check Point said the set of four bugs, which it calls QuadRooter, could be exploited via a malicious app.

“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” the firm stated.

Users would be unlikely to know a breach had taken place without the use of security tools that could detect suspicious activity on their devices.

Check Point advised users to avoid third-party app stores and Wi-Fi networks from unknown providers and to keep their devices up to date.

Malicious apps are regularly found even on official app stores, however, and in this case devices might not yet have a patch available, Check Point pointed out. The firm said consumer or enterprise-grade security systems can help detect and block malicious code running on Android devices.

The company released a QuadRooter scanner on Google Play that can determine whether a device is running the vulnerable drivers.

Check Point said it provided Qualcomm with information about the bugs earlier this year and believes the company has distributed patches to device makers.

Qualcomm confirmed that it was notified about the vulnerabilities between February and April of this year and said it made patches available to customers, partners, and the open source community between April and July.

The security firm disclosed its findings at the DEF CON 24 conference in Las Vegas.

Apple released an update for its iOS mobile software fixing a similarly critical flaw, two weeks after a separate update for another major security vulnerability in iOS and Mac OS affecting the ImageIO subsystem.

Are you a security pro? Try our quiz!