This is in no small part due to the fact that the vulnerability is not entirely related to Android. No, your device has been potentially compromised by American hardware giant Qualcomm and its popularity as a powerhouse for countless Android devices around the world.
This error is slightly different from the norm. Where Android bugs typically affect one or a small number of manufacturers using a particular set of hardware, QuadRoot is estimated to affect around 900 million Android users worldwide. It’s you, me and everyone you loved.
Let’s take a look at what QuadRoot is, what it means to you, and what anyone is actually doing to fix it.
A few things set QuadRoot apart from other Android bugs we’ve encountered over the past few years. To start, Check Point, the security research team that discovered the bug, explains that:
“QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading developer of LTE chipsets with a 65% share of the LTE modem market. If any of the four vulnerabilities are exploited, an attacker could initiate privilege escalation in order to gain root access to the device.”
They list four security vulnerabilities as:
- CVE-2016-2503 found in Qualcomm GPU driver and patched in July 2016 Google Android Security Bulletin.
- CVE-2016-2504 found in Qualcomm GPU driver and patched in August 2016 Google Android Security Bulletin.
- CVE-2016-2059 found in Qualcomm Kernel Module and patched in April, although patch status is unknown.
- CVE-2016-5340 is present in the Qualcomm GPU driver and has been fixed, but the status of the patch is unknown.
Is my device vulnerable?
Truly sad times for me.
Can I be exploited?
Check Point reports that it is relatively easy to identify a device with any of these vulnerabilities.
“An attacker could exploit these vulnerabilities with a malicious application. Such an application does not require special permissions to exploit these vulnerabilities, which eliminates any suspicions that users may have during installation.”
This is not a flaw introduced by the firmware update. The vulnerability was present when your device was shipped. A flaw found in the software drivers that manage communication between chipset components can really only be fixed by the device manufacturer via an OTA update.
What is happening now?
As a professional security research company, Check Point informed Qualcomm about this vulnerability a few months ago. So they have already released a chipset patch that has been released on your device. The ball is now firmly in their court.