In his presentation at Def Con 24, Check Point lead mobile security researcher Adam Donenfeld revealed four major vulnerabilities affecting Android devices built using the Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets, with a 65% share of the LTE modem baseband market in the Android ecosystem.
Check Point calls the set of vulnerabilities QuadRooter. If exploited, the vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.
The vulnerabilities are found in the software drivers Qualcomm ships with its chipsets. An attacker can exploit these vulnerabilities using a malicious app. This app would require no special permissions to take advantage of the vulnerabilities, which means it would not make users suspicious. The estimated 900 million affected devices include these models:
- Samsung Galaxy S7 & S7 Edge
- Sony Xperia Z Ultra
- Google Nexus 5X, 6 & 6P
- HTC One M9 & HTC 10
- LG G4, G5 & V10
- Motorola Moto X
- BlackBerry Priv
Since the vulnerable software drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the device’s distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.
Check Point has released a free QuadRooter scanner app, available from Google Play, that enables Android users to find out if their device is vulnerable, and prompt them to download patches for the problem. The link will be also available from http://blog.checkpoint.com/
Michael Shaulov, head of mobility product management for Check Point said: “Vulnerabilities like QuadRooter bring into focus the unique challenge of securing Android devices, and the data they hold. The supply chain is complex, which means every patch must be added to and tested on Android builds for each unique device model affected by the flaws. This process can take months, leaving devices vulnerable in the interim, and users are often not made aware of the risks to their data. The Android security update process is broken and needs to be fixed.”
Check Point recommends the following best practices to help keep Android devices safe from attacks that try to exploit any vulnerabilities:
· Download and install the latest Android updates as soon as they become available.
· Understand the risks of rooting devices – either intentionally or from an attack
· Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, download apps only from Google Play.
· Read permission requests carefully when installing any apps. Be wary of apps that ask for permissions that seem unusual or unnecessary, or use large amounts of data or battery life.
· Use known, trusted Wi-Fi networks or while traveling use only those that you can verify are provided by a trustworthy source.
· End users and enterprises should consider using mobile security solutions designed to detect suspicious behaviour on a device, including malware that could be obfuscated within installed apps.
Check Point researchers provided Qualcomm with information about the vulnerabilities in April 2016. The team then followed the industry-standard disclosure policy (CERT/CC policy) of allowing 90 days for Qualcomm to produce patches before disclosing the vulnerabilities. Qualcomm reviewed these vulnerabilities, classified each as high risk, and has since released patches to original equipment manufacturers (OEMs).