Anti-Malware , Technology

Four Android Flaws Leave 900M Devices at Risk

Attackers Can Root Devices via Qualcomm Chipset Software, Check Point Warns
Four Android Flaws Leave 900M Devices at Risk

Four vulnerabilities relating to Qualcomm chipsets used by an estimated 900 million Android smartphones and tablets could each be exploited to seize control of devices and steal any data they store, warns Israeli cybersecurity firm Check Point.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

Devices from numerous manufacturers - including Samsung, HTC, Motorola and LG - are reportedly at risk from the flaws, which exist in chipset-related code created by Qualcomm.

"If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device," Check Point warns in a related research report into the flaws, which it's dubbed "Quadrooter."

Researchers from Check Point, who first detailed their findings on Aug. 7 at the Def Con conference in Las Vegas, say that an attacker could exploit the flaws by sneaking a malicious app onto a user's device, and that the vulnerabilities could be exploited without requiring users to grant them any special permissions, thus masking the attack.

Qualcomm has confirmed the flaws and said it's released related fixes. "We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July," a Qualcomm spokeswoman tells Information Security Media Group, noting that the patches have also been posted to the open source, mobile-focused Code Aurora forum. "[Qualcomm] continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities," she adds.

Qualcomm controlled 65 percent of the world's 4G/LTE chipset market in 2015, compared with Samsung, which controlled 12 percent market share - largely due to the tech giant building its own chips for Galaxy S6, Galaxy S6 edge, and Galaxy Note5 devices - according to market researcher ABI Research.

A Google spokeswoman tells ISMG that any user who's installed the July security update for Android is protected against three of the four flaws. "The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided."

Still, many Android users may have to wait months - or longer - for their device manufacturers or cellular providers to release fixes that will work on the customized versions of Android that run their devices (see FTC, FCC Launch Mobile Security Inquiries).

"Fixes require mind-bending coordination between suppliers, manufacturers, carriers and users before patches make it from the drawing board to installation," Check Point notes in its report. "The fragmented world of Android leaves many users exposed to risk, even with out-of-the-box devices."

Qualcomm Chipset Code: Four Flaws

Check Point says the flaws it discovered involve a vulnerability in a Qualcomm-built kernel module, called ipc_router, that allows various Qualcomm components to communicate (CVE-2016-2059); a vulnerability in Ashmem - Android's propriety memory allocation subsystem (CVE-2016-5340); and two different flaws in Android's kernel graphics support layer driver (CVE-2016-2503, CVE-2016-2504).

"Preinstalled on devices at the point of manufacturing, these vulnerable drivers can only be fixed by installing a patch from the distributor or carrier," Check Point says. "Distributors and carriers can only issue patches after receiving fixed driver packs from Qualcomm."

Now Manufacturers Must Patch

Now, it's up to affected manufacturers and mobile phone providers to create fixes for customers and subscribers. Via Check Point, here's a partial list of vulnerable devices:

  • BlackBerry Priv;
  • Blackphone 1 and 2;
  • Google Nexus 5X, 6 and 6P;
  • HTC One M9 and HTC 10;
  • LG G4, G5, and V10;
  • New Moto X by Motorola;
  • OnePlus One, 2 and 3;
  • Samsung Galaxy S7 and S7 Edge;
  • Sony Xperia Z Ultra.

Check Point has also released a free QuadRooter Scanner app via Google Play designed to scan for the presence of any of the four flaws it found.

Ongoing Threat: Malicious Apps

The Google spokeswoman attempted to downplay any risks relating to the four flaws, noting that the flaw would require attackers to sneak a malicious app onto a target's smartphone or tablet. "Exploitation of these issues depends on users also downloading and installing a malicious application," she says. "Our Verify apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these."

But app stores - from Google, Apple, or any other provider - aren't immune to attackers sneaking in malicious apps (see Apple Battles App Store Malware Outbreak). Plus, while Google says it's built strong security controls into its app store - Google Play - not all parts of the world enjoy full access to the site, thus driving users to seek less-secure alternatives. In China, for example, users reportedly can only access free apps, rather than paid apps, on Google Play. Not coincidentally, many attackers repackage legitimate, popular Android apps, oftentimes creating "free" Trojanized versions designed to sneak adware onto users' devices.

In July, Check Point reported that a single Chinese cybercrime group - associated with China-based mobile ad server company Yingmob - was earning $300,000 per month via such attacks, and controlled 10 million infected Android devices around the world (see Android Trojanized Adware 'Shedun' Infections Surge).

This story has been updated with comments from Qualcomm and Google.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network