Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.
The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying them as high severity.
Unfortunately, that doesn’t mean that all devices are yet protected. Due to the fragmentation of the Android ecosystem, many devices run older Android versions and no longer receive firmware updates, or they receive the fixes with months-long delays.
Not even Google, which releases security patches for its Nexus line of Android phones and tablets on a monthly basis, has fixed all the flaws.
The vulnerabilities have collectively been dubbed QuadRooter because if exploited, they provide attackers with root privileges -- the highest privileges on a Linux-based system like Android. Individually they’re tracked as CVE-2016-2059, CVE-2016-2503 and CVE-2016-2504 and CVE-2016-5340, and they’re located in various drivers that are provided by Qualcomm to device manufacturers.
Qualcomm released patches for these vulnerabilities to customers and partners between April and July, said Alex Gantman, vice president of engineering for the Qualcomm Product Security Initiative, in an emailed statement.
Meanwhile, Google has distributed only three of these patches so far through its monthly Android security bulletins for Nexus devices. The security updates released by Google are shared with phone manufacturers in advance and are also published to the Android Open Source Project (AOSP).
Devices running Android 6.0 (Marshmallow) with a patch level of Aug. 5 should be protected against the CVE-2016-2059, CVE-2016-2503, and CVE-2016-2504 flaws. Android devices running 4.4.4 (KitKat), 5.0.2 and 5.1.1 (Lollipop) that include the Aug. 5 patches should also have the CVE-2016-2503 and CVE-2016-2504 patches, but would be vulnerable to a version of the CVE-2016-2059 exploit that Google has flagged as low severity due to existing mitigations.
The fourth vulnerability, CVE-2016-5340, remains unpatched by Google, but device manufacturers could obtain the fix for it directly from Qualcomm's Code Aurora open-source project.
"This flaw will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided," a Google representative said via email. Exploiting any of these four vulnerabilities would involve users downloading malicious applications, Google said.
"Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these," the representative added.
It's true that exploiting the flaws can only be done through rogue applications and not directly through remote attack vectors like browsing, email or SMS, but those malicious applications would not require any privileges, according to Check Point.
Sign up for Computerworld eNewsletters.