​Quadrooter - four Qualcomm bugs that leave your Android phone completely rooted

If you haven’t received the latest security patches from Google, your Android phone is almost certainly vulnerable to one of the so-called ‘Quadrooter' bugs that affects nearly every Android device on earth.

Security firm Check Point has revealed four significant vulnerabilities in Qualcomm chips that run as many as 900 million Android devices, including newer devices which prioritise faster patching and enhanced security features.

Among the affected devices include BlackBerry's Priv, Silent Circle's Blackphone, and Google’s Nexus devices, including the 5X, 6, and 6P. Also affected are the HTC One, HTC M9 and HTC 10, LG’s G4 and G5, Motorola’s new Moto X, all OnePlus One flagships, Samsung’s Galaxy S7 and S7 Edge, and Sony’s Xperia Z Ultra.

Fortunately, an attacker can only exploit these Quadrooter bugs if they can dupe a victim into installing a malicious app. That’s a significantly higher barrier to exploitation than Stagefright, the name for a set of bugs affecting a key Android media system discovered last year. These bugs only required a specially crafted MMS message to remotely gain control of a vulnerable device; users didn't need to do anything beyond opening a message to become infected.

Quadrooter bugs still have fangs though. As Check Point notes, if a malicious app is installed, Quadrooter bugs would not need special permissions to exploit bugs that reside in the drivers for Qualcomm’s chipsets. Additionally, patching the Qualcomm bugs will be a circuitous affair. First, Qualcomm needs to release a patch for the bugs, then handset makers and carriers need to distribute them — and they're two groups that have an appalling record for distributing Android security patches. If all this happens, device owners will then need to install the patch.

That said, Google last week issued a patch for one of the four bugs, CVE-2016-2504, which relates to flaw in the kernel graphics driver. The advisory for Google’s August Android security bulletin was dominated by fixes for bugs in chipset drivers, most of which addressed Qualcomm driver bugs. Google appears to have doubled down on hardware driver bugs in the past two months. Google has addressed so many hardware driver bugs in the past two monthly updates that it split each patch level into two streams. This was to help device makers and carriers fix the most urgent bugs faster.

The other bugs Check Point revealed included CVE-2016-2059 affecting a Qualcomm kernel module for the router; CVE-2016-5340, an Android subsystem flaw present in devices that rely on Qualcomm chipsets; and CVE-2016-2503, which is related to the bug Google fixed.

Bugs in Qualcomm drivers are important for Android security since it is the number one LTE chipset provider to the smartphone market.

Google began rolling out monthly security updates for Android shortly after the first Stagefright bugs were revealed last July.

The Federal Communications Commission and the Federal Trade Commission this year commenced an industry probe of smartphone patching to discover why some devices never receive security updates. The authorities cited Stagefright as one of the reasons for the investigation.

Google’s monthly security update program only covers devices that are newer than Android 4.4, the version Google released in 2013. Google’s snapshot of Android at beginning of August indicates it was providing patches that covered 80 percent of all Android devices that connected to its app store. But, since Google does not control the mechanism from it to end-user devices, it’s not known what proportion of Android handsets actually receive its patches.

Join the CSO newsletter!

Error: Please check your email address.

Tags Check Point Software Technologiesbugs and security failuresAndroidIT SecurityQuadrooter bugssecurity patchesransomwarecyber security

More about BlackBerryCheck PointFederal Communications CommissionFederal Trade CommissionGalaxyGoogleHTCLGMotorolaOnePlusQualcommSamsungSilent CircleSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts