Android smartphones and tablets are at risk of compromise due to four recently discovered Qualcomm chip vulnerabilities, according to security researchers at Check Point. The so-called QuadRooter vulnerabilities affect approximately 900 million Android devices, including some of the most popular smartphones on the market.
Owners of a Google Nexus phone (5X, 6, and SP), Blackberry (Priv), OnePlus (One, 2 or 3), HTC (One, M9 or 10), Samsung (Galaxy S7 or S7 Edge), Motorola (Moto X), Sony (Experia Z Ultra), LG (G4, G5, or V10), or a Blackphone (1 or 2) are at risk of their device being attacked.
The Qualcomm chip vulnerabilities allow attackers to escalate privileges on the affected devices and gain root access. This would give the attacker full control of the device. The Qualcomm chip vulnerabilities affect four different chipset software drivers, which are used to control communication between different hardware components. The vulnerabilities affect two graphics drivers, a shared memory feature, and a process communication module, according to Check Point.
Check Point first notified Qualcomm of the vulnerabilities in April, although it has taken some time for an official announcement to be made confirming the vulnerabilities exist. The vulnerabilities have now been confirmed by Qualcomm and are rated as high risk.
In order to exploit the vulnerabilities a malicious app would need to be downloaded to the device. However, as we have recently seen, attackers have succeeded in uploading malicious apps to app stores, including Google Play. Check Point reports that the app would not require any special permissions. Until the patch is released, all users of the affected phones should refrain from downloading apps from third party app stores as a precaution.
In order for patches to be issued, Google must send updates to each manufacturer. They must then schedule the rolling out of patches with wireless carriers, and that process can take a considerable amount of time.
A patch is expected to be released soon to correct the Qualcomm chip vulnerabilities, although many manufacturers are unlikely to start rolling out patches before September 2016. So far only Google has issued patches for its Nexus phones, and for only three out of the four security vulnerabilities. The patches were rolled out as part of last month’s security updates.