New Qualcomm-targeted Android security bug is reported to put '900 million' devices at risk. Here's what you need to know.
Once again, it's Android security scare season. This morning news broke of the latest collection of vulnerabilities, discovered by security firm Check Point and grouped together under the catchy monicker "QuadRooter." As usual, most of the reporting has focused on worst-case scenarios and a shockingly huge number of potentially vulnerable devices — in this case, an estimated 900 million.
We're going to break down exactly what's going on, and just how vulnerable you're likely to be. Read on.
1. It's a Qualcomm thing
Check Point specifically targeted Qualcomm due to its dominant position in the Android ecosystem. Because so many Android phones use Qualcomm hardware, the drivers Qualcomm contributes to the software on these phones make for an attractive target — a single set of vulnerabilities affecting a large proportion of the Android user base. (Specifically, the bugs affect networking, graphics and memory allocation code.)
Qualcomm's drivers are a big, attractive target.
All four of the exploits that make up QuadRooter affect Qualcomm drivers, so if you have a phone that uses no Qualcomm hardware at all — for example, a Galaxy S6 or Note 5 (which uses Samsung's own Exynos processor and Shannon modem), you're not affected by this.
2. It's serious, but there's no evidence of it being used in the wild
As the name suggests, QuadRoot is a collection of four exploits in Qualcomm's code which could allow a malicious app to gain root privileges — i.e. access to do basically anything on your phone. From there, you can dream up any number of nightmare scenarios: attackers listening in on phone calls, spying through your camera, pilfering financial details or locking down your data with ransomware.
No-one's talking about these exploits being used in the wild yet, which is a good thing. (Check Point estimates that the bad guys will have it packaged into functioning malware within three or four months.) However given the challenges involved in updating the software on the billion-plus Android devices out there, malware creators will have plenty of time to figure out a practical application.
3. Chances are you're not actually "vulnerable"
QuadRooter is one of the many Android security issues that requires you to manually install an app. That means manually going into Security settings and toggling the "Unknown Sources" checkbox.
Any vuln which requires you to manually install an app runs into two major roadblocks: The Play Store, and Android's built-in "Verify Apps" feature.
Given that Check Point first disclosed the vulnerabilities back in April, Google has almost certainly been scanning Play Store apps for these exploits for quite some time. That means you'll be fine if, like most people, you only download apps from the Play Store.
And even if you don't, Android's "Verify Apps" feature is designed to act as an additional layer of protection, scanning apps from third-party sources for known malware before you install. This feature is enabled by default in all Android versions since 2012's 4.2 Jelly Bean, and because it's part of Google Play Services, it's always updating. As of the most recent stats available, more than 90 percent of active Android devices are running version 4.2 or later.
We don't have explicit confirmation from Google that "Verify Apps" is scanning for QuadRooter, but given that Google was informed months ago, chances are it is. And if it is, Android will identify any QuadRooter-harboring app as harmful and show a big scary warning screen before letting you get anywhere near installing it.
Update: Google has confirmed that Verify Apps can detect and block QuadRooter.
In that case, are you still "vulnerable?" Well technically. You could conceivably go to Security settings, enable Unknown Sources, then ignore the full-screen warning that you're about to install malware and disable yet another security setting elsewhere. But at that point, to a large extent, it's on you.
4. Android security is hard, even with monthly patches
One interesting aspect of the QuadRooter saga is what it shows us about the Android security challenges that still remain, even in a world of monthly security patches. Three of the four vulnerabilities are fixed in the latest August 2016 patches, but one has apparently slipped through the cracks and won't be fixed until the September patch. That's cause for legitimate concern given that disclosure happened back in April.
However, a Qualcomm rep told ZDNet that the chipmaker had been issuing patches of its own to manufacturers between April and July, so it's possible certain models may have been updated outside of the Google patching mechanism. This only underscores the confusion involved with having an explicit patch level from Google, while device manufacturers and component makers are also providing security fixes.
Most Android phone makers suck at issuing security patches. And even up-to-date devices won't be fully patched for another month.
For now, the only way to know if your phone is theoretically vulnerable is to download Check Point's QuadRoot scanner app from the Play Store.
Even once patches are issued, they need to go through device manufacturers and carriers before being pushed out to phones. And although some companies like Samsung, BlackBerry and (naturally) Google have been quick about making sure the latest patches are available, most of the folks making Android devices are nowhere near as timely — especially when it comes to older or lower-priced phones.
QuadRooter underscores how the ubiquity of Qualcomm-based Android devices makes them an attractive target, while the variety of hardware as a whole makes updating all of them near impossible.
5. We've been here before
- Catchy marketing name? Check.
- Big scary number of "vulnerable" devices? Check.
- Free detection app peddled by security company with a product to sell? Check.
- No evidence of use in the wild? Check.
- Press at large ignoring the Play Store and Verify Apps as a roadblock against app-based exploits? Check.
It's the same dance we do every year around security conference time. In 2014 it was Fake ID. In 2015, it was Stagefright. Unfortunately, understanding of Android security issues in the media at large has remained woeful, and that means figures like the "900 million" affected bounce around the echo chamber without context.
If you're being smart about the apps you install, there's not much reason to worry about. And even if you're not, chances are Play Services and Verify Apps will have your back.