New ‘QuadRooter’ Vulnerability Affects Over 900 Million Android Phones
Check Point certainly got everyone’s attention yesterday when they disclosed details of QuadRooter vulnerability at DEF CON 24 in Las Vegas.
So, here’s everything you need to know about what QuadRooter vulnerability is, which devices are affected, how it operates and what you need to do now.
What is QuadRooter Vulnerability?
QuadRooter is a set of 4 new vulnerabilities allowing an attacker to gain root access to an Android device. QuadRooter affects different modules of the Android system: -
- IPC Router - Provides inter-process communication for various hardware drivers, user mode processes and components.
- kgls_sync - Synchronizes the CPU and apps.
- Ashmem - Android’s propriety memory allocation subsystem. It enables processes to share memory buffers efficiently.
- kgsl - Qualcomm’s kernel driver. It renders graphics by communicating with user-mode binaries
QuadRooter affects all Android phones and tablets which use Qualcomm chipsets. That’s around 900 million devices.
Which Devices are Affected?
Some of the affected devices include, Samsung Galaxy S7 and Samsung S7 Edge, Sony Xperia Z Ultra, Google Nexus 5X, Nexus 6 and Nexus 6P and even the BlackBerry Priv, whose manufacturers boast is the world’s most secure Android.
How does QuadRooter Vulnerabilty Affect You?
In order for an attacker to gain access to a device, the user needs to first install a malicious app. Yet unlike other malware, this app requires no special permissions, removing any suspicions users may have before installing.
Once the malware is installed, the app can gain full root access to the Android device by exploiting any of the four vulnerabilities. Therefore, all system contents and controls (including sensitive data, microphone, GPS and system changes) can be accessed by the attacker.
QuadRooter Vulnerabilty Information and Patches
The vulnerabilities’ CVSS severity scores are all 7.8, meaning these are vulnerabilities where remediation is a real priority.
Thankfully, Checkpoint notified Qualcomm of the vulnerabilities between February and April 2016, allowing Qualcomm to provide Google with patches for all flaws between April and July 2016.
Subsequently, three of the flaws were fixed by Google’s August security updates, yet one didn’t make the cut as it wasn’t dispatched in time. This patch is due for release in Google’s September update.
There was a delay in issuing the fourth patch as phone manufacturers take Android open source code from Qualcomm, instead of directly from Google. Therefore, there's confusion about who fixes what between the two companies. This highlights the challenges of issuing timely updates for an open source operating system.
Challenge of Updating an Open Source Operating System
As Android is open source, phone manufacturers routinely modify Android’s code base to customize their hardware and gain competitive advantage. These manufacturers are then responsible for updating their own devices with the latest software, but many don’t do it in a timely fashion.
Unsurprisingly, manufacturers who control both software and hardware are able to ship patches and updates more easily than those who don’t. We just need to look at the stats. 7.5% of Android devices are running its latest version, compared to 86% of Apple devices running the latest iOS version.
What to do now?
First of all, you may want to find out if your device is vulnerable. If so, you can run Check Point’s free app.
Also, no devices have actually been exploited in the wild. But for devices to be fully protected against Quadrooter, users have to wait until their phone manufacturers integrate the fixes into their custom ROMs.
One major lesson to be learned from Quadrooter, is the importance of tracking the open source components within your software and devices.
WhiteSource is an automated open source management solution, which detects open source libraries in your software within minutes, including all dependencies. We also continuously monitor new CVEs and inform our customers, in real time, about vulnerable libraries in their software, and fixes for them. So, how many vulnerable open source libraries are you currently using?