Android vulnerabilities evoke the same feelings as massive data breaches. mass : a general phenomenon of which I can be a part. At the very least, with a major data breach, I have the ability to disable my accounts and set them on fire. With Android’s latest bug, QuadRoot is simply not an option.

This is in no small part due to the fact that the vulnerability is not entirely related to Android. No, your device has been potentially compromised by American hardware giant Qualcomm and its popularity as a powerhouse for countless Android devices around the world.

This error is slightly different from the norm. Where Android bugs typically affect one or a small number of manufacturers using a particular set of hardware, QuadRoot is estimated to affect around 900 million Android users worldwide. It’s you, me and everyone you loved.

Let’s take a look at what QuadRoot is, what it means to you, and what anyone is actually doing to fix it.

Quadroot large

A few things set QuadRoot apart from other Android bugs we’ve encountered over the past few years. To start, Check Point, the security research team that discovered the bug, explains that:

“QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading developer of LTE chipsets with a 65% share of the LTE modem market. If any of the four vulnerabilities are exploited, an attacker could initiate privilege escalation in order to gain root access to the device.”

They list four security vulnerabilities as:

  • CVE-2016-2503 found in Qualcomm GPU driver and patched in July 2016 Google Android Security Bulletin.
  • CVE-2016-2504 found in Qualcomm GPU driver and patched in August 2016 Google Android Security Bulletin.
  • CVE-2016-2059 found in Qualcomm Kernel Module and patched in April, although patch status is unknown.
  • CVE-2016-5340 is present in the Qualcomm GPU driver and has been fixed, but the status of the patch is unknown.

Is my device vulnerable?

Since Qualcomm is the world’s leading developer and manufacturer of LTE (Long Term Evolution) chipsets, holding about 65% of the baseband LTE modem market, there is a significant chance that your device will be listed. You can check if your device is vulnerable using the QuadRooter Scanner [Больше не доступен]developed and published by Check Point (the guys who discovered the vulnerability). I have one of :

Scanning QuadRoot apps and panorama of results

Truly sad times for me.

Can I be exploited?

Check Point reports that it is relatively easy to identify a device with any of these vulnerabilities.

“An attacker could exploit these vulnerabilities with a malicious application. Such an application does not require special permissions to exploit these vulnerabilities, which eliminates any suspicions that users may have during installation.”

This is not a flaw introduced by the firmware update. The vulnerability was present when your device was shipped. A flaw found in the software drivers that manage communication between chipset components can really only be fixed by the device manufacturer via an OTA update.

Unlike last year’s Stagefright bug QuadRoot actually requires the installation of a malicious application, probably after enabling the installation of applications from «Unknown Sources». Beyond that, and as Google pointed out in their statement (which you can read in the next section), Android’s «App Validation» feature is designed to guard against this type of vulnerability. This feature was introduced in Android 4.2 Jelly Bean, and with over 90% of all Android devices now running this version or later, and that this bug only affects the aforementioned chipset — I think everything will be fine.

Android versions in use 2016

What is happening now?

As a professional security research company, Check Point informed Qualcomm about this vulnerability a few months ago. So they have already released a chipset patch that has been released on your device. The ball is now firmly in their court.

A number of popular device manufacturers have already taken steps to appease their user base. In one case, the fix has already been posted. Here are some of the major manufacturers, and their current status.

Google

Google quickly moved to protect its users.

“Android devices with our latest level of security patches are already protected from three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be fixed in the next Android Security Bulletin, although Android partners can act more quickly by citing a public patch provided by Qualcomm.”

As the main developers of Android, Google has also been keen to highlight other security measures already in place for Android devices.

«Our application inspection tools and SafetyNet help identify, block and remove applications that exploit these vulnerabilities.»

Popular Devices: Nexus 5X, Nexus 6, Nexus 6P

blackberry

As I mentioned above, one manufacturer has already rolled out a fix for users. Kudos and accolades to be heaped upon diehard fans of Blackberry phones.

“Three out of four vulnerabilities have already been fixed on PRIV devices with the August Marshmallow patch and on all DTEK50 devices. In addition, the secure download chain that is present on all BlackBerry devices naturally mitigates the remaining problem. We are not aware of any exploits for this vulnerability in the wild and we do not think any clients are currently at risk from this issue.”

Popular device: Blackberry Private

Sony

Sony is working on making fixes available for its Qualcomm devices.

“Sony Mobile takes the security and privacy of customer data very seriously. We are aware of the QuadRooter vulnerability and are working to make security patches available through normal and regular software maintenance, both directly to open market devices and through our carrier partners, so timelines may vary by region and/or carrier . »

Popular device: Sony Xperia Z Ultra

Motorola

Motorola is another manufacturer capable of delivering good news.

“Recently, a potential security vulnerability, Quadrooter, was discovered in some Android devices. This potential vulnerability can only be exploited if a user disables Android’s built-in security measure and downloads a malicious app. For more information on how to disable this, this link is helpful for consumers.»

Popular device: moto x

HTC

HTC is a bit quiet about QuadRoot given that at least two of their devices are at risk.

“HTC takes customer security very seriously. We are aware of these reports and are investigating them.”

Popular Devices: HTC 10, HTC One M9

One Plus

OnePlus plans to include a QuadRoot update in its next patch just in case of unforeseen circumstances.

“Security is a top priority for OnePlus. Appropriate security patches will be included in the next OTA (over-the-air updates) for all OnePlus devices.”

Samsung

There has been no official announcement from Samsung yet.

Popular Devices: Galaxy S7, Galaxy S7 Edge

LG

Again, there is no official statement from LG yet.

Popular Devices: LG G5, LG G4, LG V10

Time to worry?

As with most security vulnerabilities, you must remain vigilant. These vulnerabilities exist, but unless you download an app with the appropriate malicious code, you are unlikely to find your device compromised.

The Google Play Store contains many millions of apps; application containing malicious code, designed to exploit these particular bugs, any of them could be. So be on the lookout. Check feedback. Double-check the developer and publisher information. Look at the download numbers. Consider common scams. Don’t download funny apps that offer to turn your phone into something it’s not.

You must evade any potential intruders before your device manufacturer releases patches to bring your security down to zero. . However, this last bug further highlights the risks inherent in the entire Android security model. Unlike Apple, which can simply develop a patch and deploy it to its hundreds of millions of users, critical Android security patches must travel through each manufacturer’s supply chain before reaching the users they are meant to help.

I love Android and will continue to use it, but as a user you have to be on your guard.

Worried about QuadRoot? Does the number of Android vulnerabilities make you reconsider the platform? Let us know your thoughts below!

Похожие записи