New Check Point research reveals that over 900 million Android smartphones and tablets using Qualcomm chipsets are subject to four vulnerabilities it has labelled as QuadRooter.Check Point states via a blog post that should any one of the four vulnerabilities be exploited, “an attacker can trigger privilege escalations for the purpose of gaining root access to a device”.
“If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them,” Check Point states. “Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.”
The vulnerabilities are found in software drivers, controlling communication between chipset components, that ship with Qualcomm chipsets, with the drivers becoming incorporated into Android builds manufacturers develop for their devices.
“An attacker can exploit these vulnerabilities using a malicious app,” Check Point states. “Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.”
Check Point notes that many recent and popular Android devices use the chipsets, including devices from BlackBerry, Google, HTC, LG, Motorola, OnePlus, Samsung and Sony.
“Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier,” Check Point states. “Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.
“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.”
Check Point has developed an app for Android users to check if their device is at risk, with further information here.