The bug has been named “Quadrooter” by the team of Checkpoint Security researchers who discovered it. The vulnerabilities were detailed at the DEF CON hackers conference in Las Vegas last week.
Quadrooter covers four separate but related flaws in Qualcomm’s processors that could give hackers complete control of Android-powered devices. Qualcomm’s chipsets are used in millions of smartphones and tablets built by hundreds of different manufacturers, so the severity of the issue is very high.
Successful exploitation of any of the four vulnerabilities would give a hacker root access to the target device. This could be used to control the camera and microphone, monitor a user’s activities, extract messages and call logs and hijack system hardware.
To be able to control the device, the attacker would first need to convince the user to install a specially-created malicious app. However, unlike other malware, the app would not require any special permissions, so it could potentially be offered through Google Play. The lack of inappropriate permissions, such as camera or microphone access for a calculator app, would also prevent users from becoming suspicious, making them more likely to install the app.
The exploit targets vulnerabilities in the code controlling the processor’s graphics hardware and multithreading components. Checkpoint found it is susceptible to attacks that allow a hacker to run their own code as a system user, gaining access to sensitive portions of the device’s software and data.
The severity of the flaws is so high that they are likely to become very attractive to hackers. With almost a billion phones available to infect, the opportunity will be too great to ignore. While it is thought the vulnerabilities aren’t currently being exploited in the wild, the researchers warned it’s very likely attacks will be developed over the next few months.
“I’m pretty sure you will see these vulnerabilities being used in the next three to four months,” said Michael Shaulov, head of Checkpoint Security mobility product management to the BBC. “It’s always a race as to who finds the bug first, whether it’s the good guys or the bad.”
The researchers have already contacted Qualcomm with their findings. The company responded proactively to the notice and has developed a fix for all the affected products. The last patch was released to device manufacturers and the open-source Android community at the end of July.
Patches for three of the flaws were issued in Google’s latest Android monthly security update. The last fix will be released as part of the next security update, due in late September, theoretically giving hackers just a few weeks to exploit the bugs.
In reality, the vast majority of devices will never receive the necessary updates. The heavily-fragmented nature of the Android ecosystem means neither Qualcomm nor Google has the power to push an update to every affected phone and tablet.
With most manufacturers refusing to commit to releasing regular security updates, it could be months before some handsets are safely patched. Older ones have no hope of seeing the update at all, making them a key target for hackers looking for devices to infect with root access malware.
To check if your Android device is affected by Quadrooter, you can use Checkpoint Security’s free Quadrooter Scanner app, available from the Google Play Store.
