Android is facing major security breach on its products according to a new report that shows significant rooting flaws of the Qualcomm chipset. Adam Donenfeld, a security researcher from Check Point Software Technologies, exposed four processor vulnerabilities- referred to as “Quadrooter” – at the DEF CON security conference in Las Vegas on Sunday.
The Quadrooter could affect over 900 million Android devices running on Qualcomm`s Snapdragon processor. Both Google and Qualcomm have managed to solve the majority of the flaws, but Android products remain vulnerable to root breaching.
The Quadroot comes in the form of malware
Any of the four rooting vulnerabilities, if exploited, could result in a potential hacking of a device. The user would have to install a particular malware offered by the attacker via the Google Play store.
This malware grants root privileges to the hacker, who could extract user data and manipulate hardware like smartphone cameras and microphones. Although the Play store has a very strict security policy by not allowing third-party apps, various malware has been able to get through security.
Only one of the four flaws would be necessary to grant root privileges
The Quadroot vulnerabilities have been a topic of discussion since February, numerous websites have warned Android users about these shortcomings. Google and Qualcomm have addressed this issues by releasing security updates that are currently fixing three of the four events.
Only one flaw remains unpatched, codenamed CVE-2016-5340. Google have plans to fix the last flaw on the upcoming September update, but Qualcomm has already offered the code to its partners, which may force Google to release sooner.
Google and Qualcomm’s issue with who fixes what
This sort of tension between Google and Qualcomm have caused delays on the complete Quadrooter fix, according to Michael Shaulov, head of mobility product management at Check Pont.
“QUALCOMM HAS A SIGNIFICANT POSITION IN THE DEVELOPMENT CHAIN IN THAT A PHONE MAKER ISN’T TAKING THE ANDROID OPEN-SOURCE CODE DIRECTLY FROM GOOGLE, THEY´RE ACTUALLY TAKING IT FROM QUALCOMM,” said Mr. Shaulov.
Mr. Shaulov explained that this makes the patching process more difficult, and the resulting delay has passed Check point´s three month-period of privacy disclosure.
Some phones that could be affected by this problem are the Samsung Galaxy S7 and S7 Edge, Google Nexus 5X, Nexus 6 and 6P, HTC One, HTC One M9, HTC 10, LG 4, and V10, Motorola Moto X, and Oneplus One, 2 and 3.
— Check Point Software (@CheckPointSW) August 8, 2016
Google´s new security update will arrive over the next weeks, For now, the unpatched flaw of the Quadroot still poses a threat to millions of devices, according to Check Point´s representatives.
“NO ONE AT THIS POINT HAS A DEVICE THAT´S FULLY SECURED,” said Michael Shaulov.
Source: Check Point Blog