QuadRooter Threat Leaves 900m Android Devices Vulnerable to Attack, Check Point Says

galaxy-s7_overview_kv_l cropped
The Samsung Galaxy S7 is one of the Android devices at risk from the QuadRooter threat, Check Point says

Digital security firm Check Point has uncovered details about a set of four vulnerabilities affecting 900m Android smartphones and tablets that use Qualcomm chipsets. The Check Point mobile threat research team has named the set of vulnerabilities QuadRooter.

In a blog post, Check Point explains how, if any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. This would give the attacker complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.

An attacker can exploit these vulnerabilities using a malicious app. The app would require no special permissions to take advantage of the vulnerabilities, alleviating any suspicion users may have when installing.

The devices vulnerable to a QuadRooter attack include the Samsung Galaxy S7 and Samsung S7 Edge; Sony Xperia Z Ultra; Google Nexus 5X, Nexus 6 and Nexus 6P; HTC One, HTC M9 and HTC 10; LG G4, LG G5, and LG V10; the New Moto X by Motorola; the BlackBerry Priv; and the Blackphone 1 and Blackphone 2.

Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

The BBC reports that Checkpoint handed information about the bugs and proof of concept code to Qualcomm earlier this year and that Qualcomm subsequently created patches for the bugs and started to use the fixed versions in its factories. But while Qualcomm has apparently distributed patches to phone makers and mobile operators, it’s not clear how many of those companies have issued updates to customers phones.

Check Point said the situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.

Check Point has advised Android users to download and install the latest Android updates as soon as they become available. It also recommends they examine carefully any app installation request before accepting it to make sure it’s legitimate. And it says they should consider using mobile security solutions designed to detect suspicious behaviour on a device, including malware that could be obfuscated within installed apps.

We have asked Qualcomm for their reaction to the disclosure of the threat, but have not yet received a response.

Update:
Qualcomm has now issued a statement, with links to supporting materials, as follows…

Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI). We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July. The patches were also posted on CodeAurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities.

CAF advisory links:
Invalid Path Check on ashmem Memory File (CVE-2016-5340)

Use after Free due to Race Conditions in KGSL Module (CVE-2016-2504, CVE-2016-
2503)

Linux IPC router binding any port as a control port (CVE-2016-2059)