Once again, it’s Android security scare season . This morning news broke of the latest collection of vulnerabilities, discovered by security firm Check Point and grouped together under the catchy monicker “QuadRooter.” As usual, most of the reporting has focused on worst-case scenarios and a shockingly huge number of potentially vulnerable devices — in this case, an estimated 900 million.
We’re going to break down exactly what’s going on, and just how vulnerable you’re likely to be. Read on.
1. It’s a Qualcomm thing
Check Point specifically targeted Qualcomm due to its dominant position in the Android ecosystem. Because so many Android phones use Qualcomm hardware, the drivers Qualcomm contributes to the software on these phones make for an attractive target — a single set of vulnerabilities affecting a large proportion of the Android user base. (Specifically, the bugs affect networking, graphics and memory allocation code.)
Qualcomm’s drivers are a big, attractive target.
All four of the exploits that make up QuadRooter affect Qualcomm drivers, so if you have a phone that uses no Qualcomm hardware at all — for example, a Galaxy S6 or Note 5 (which uses Samsung’s own Exynos processor and Shannon modem), you’re not affected by this.
2. It’s serious, but there’s no evidence of it being used in the wild
As the name suggests, QuadRoot is a collection of four exploits in Qualcomm’s code which could allow a malicious app to gain root privileges — i.e. access to do basically anything on your phone. From there, you can dream up any number of nightmare scenarios: attackers listening in on phone calls, spying through your camera, pilfering financial details or locking down your data with ransomware.
No-one’s talking about these exploits being used in the wild yet, which is a good thing. (Check Point estimates that the bad guys will have it packaged into functioning malware within three or four months.) However given the challenges involved in updating the software on the billion-plus Android devices out there, malware creators will have plenty of time to figure out a practical application.
3. Chances are you’re not actually “vulnerable”
QuadRooter is one of the many Android security issues that requires you to manually install an app. That means manually going into Security settings and toggling the “Unknown Sources” checkbox.
Any vuln which requires you to manually install an app runs into two major roadblocks: The Play Store, and Android’s built-in “Verify Apps” feature.
Given that Check Point first disclosed the vulnerabilities back in April, Google has almost certainly been scanning Play Store apps for these exploits for quite some time. That means you’ll be fine if, like most people, you only download apps from the Play Store.
And even if you don’t, Android’s “Verify Apps” feature is designed to act as an additional layer of protection, scanning apps from third-party sources for known malware before you install. This feature is enabled by default in all Android versions since 2012’s 4.2 Jelly Bean, and because it’s part of Google Play Services, it’s always updating. As of the most recent stats available, more than 90 percent of active Android devices are running version 4.2 or later.
We don’t have explicit confirmation from Google that “Verify Apps” is scanning for QuadRooter, but given that Google was informed months ago, chances are it is. And if it is, Android will identify any QuadRooter-harboring app as harmful and show a big scary warning screen before letting you get anywhere near installing it.
Update: Google has confirmed that Verify Apps can detect and block QuadRooter.
In that case, are you still “vulnerable?” Well technically . You could conceivably go to Security settings, enable Unknown Sources, then ignore the full-screen warning that you’re about to install malware and disable yet another security setting elsewhere. But at that point, to a large extent, it’s on you.
4. Android security is hard, even with monthly patches
One interesting aspect of the QuadRooter saga is what it shows us about the Android security challenges that still remain, even in a world of monthly security patches. Three of the four vulnerabilities are fixed in the latest August 2016 patches, but one has apparently slipped through the cracks and won’t be fixed until the September patch. That’s cause for legitimate concern given that disclosure happened back in April.
However, a Qualcomm rep told ZDNet that the chipmaker had been issuing patches of its own to manufacturers between April and July, so it’s possible certain models may have been updated outside of the Google patching mechanism. This only underscores the confusion involved with having an explicit patch level from Google, while device manufacturers and component makers are also providing security fixes.
Most Android phone makers suck at issuing security patches. And even up-to-date devices won’t be fully patched for another month.
For now, the only way to know if your phone is theoretically vulnerable is to download Check Point’s QuadRoot scanner app from the Play Store.
Even once patches are issued, they need to go through device manufacturers and carriers before being pushed out to phones. And although some companies like Samsung, BlackBerry and (naturally) Google have been quick about making sure the latest patches are available, most of the folks making Android devices are nowhere near as timely — especially when it comes to older or lower-priced phones.
QuadRooter underscores how the ubiquity of Qualcomm-based Android devices makes them an attractive target, while the variety of hardware as a whole makes updating all of them near impossible.
5. We’ve been here before
- Catchy marketing name? Check.
- Big scary number of “vulnerable” devices? Check.
- Free detection app peddled by security company with a product to sell? Check.
- No evidence of use in the wild? Check.
- Press at large ignoring the Play Store and Verify Apps as a roadblock against app-based exploits? Check.
It’s the same dance we do every year around security conference time. In 2014 it was Fake ID . In 2015, it was Stagefright . Unfortunately, understanding of Android security issues in the media at large has remained woeful, and that means figures like the “900 million” affected bounce around the echo chamber without context.
If you’re being smart about the apps you install, there’s not much reason to worry about. And even if you’re not, chances are Play Services and Verify Apps will have your back.
The Pixel 6 arrives at the FCC as Google prepares to launch the device in the fall. The documents show support for mmWave 5G, UWB, reverse wireless charging, and more.
Facebook is competing with Nintendo, Sony, and Microsoft in a very real way with its own gaming console, the Oculus Quest 2, which will challenge your paradigm of what a next-gen console can be.
OnePlus is shaking things up and detailing more about its partnership with OPPO. But experts still don’t think that the company will be able to beat Samsung in budget phones.
If you want the best Android camera, you should go with the Google Pixel 5. Many great options get close, though. So we’ve gathered a solid list to get you started.
- Are Android phones 'safe' from viruses & for banking?
- Op-ed: It’s time for Google to take responsibility for Android’s security updates
- Two billion devices still vulnerable to Blueborne flaws a year after discovery
- Ring app for Android full to the brim with third-party trackers: report
- Don’t worry, it’ll still be sweet: Everything you need to know about Android 11
- Oil prices had weakened even before coronavirus scare: Peter Cardillo, Spartan Capital
- Security News This Week: Google Calls Out Safari for Privacy Flaws
- Homeland Security cyber unit on alert for Election Day
- Apple security fix: This is why you should update your iPhone
- IoT security: Your smart devices must have these three features to be secure
- 5 things to know for January 24: Impeachment, coronavirus, immigration, Iraq, Myanmar
- Best Security Accessories for Students in 2020
- 6 Facebook security mistakes to fix on Data Privacy Day
- Microsoft can fix the toxic Android hellstew, but it needs a partner: Samsung, LG, ZTE or Huawei?
- Lockly Secure Pro Deadbolt review: Innovative security features to keep your home safe
- Google’s new “Android Things” OS hopes to solve awful IoT security
- IBM banned USB drives. Is it the future of security or a knee-jerk reaction?
- Android O will focus on ‘vitals’ like battery life and speed, first beta launches today
- Google IO 2020: Android 11, Google Pixel 4a and everything else to expect
- Sony Xperia X Compact review: Small Android is still good, but not much better
QuadRooter vulnerability: 5 things to know about this Android security scare have 1514 words, post on www.androidcentral.com at August 8, 2016. This is cached page on TechNews. If you want remove this page, please contact us.