QuadRooter is the latest big Android security scare — a collection of 4 vulnerabilities in Qualcomm-based Android gadgets that could allow a malicious app to gain root access, allowing it to do basically anything on an affected device.
Unlike last year's Stagefright exploits, QuadRooter needs to be delivered in the form of an app, meaning you'd have to enable "Unknown Sources" and manually install an app from somewhere nefarious in order to become infected. However Android's "Verify Apps" feature, included in Google Play Services and enabled by default almost four years ago in Android 4.2 Jelly Bean, is designed to protect against exactly this sort of thing.
And now we have confirmation from Google that, as expected, Verify Apps can identify and block apps using QuadRooter. A Google spokesperson gave Android Central the following statement. (Emphasis ours.)
While devices are technically still "vulnerable" even with Verify Apps, users would have to manually disable yet another security feature to be affected. Apps using an exploit as serious as QuadRooter would likely be roadblocked completely by Verify Apps — Android would display an "Installation has been blocked" message with no option to ignore and install anyway. (As opposed to the less serious "Installing this app may harm your device" message, which allows a click-through.)
This should happen on all Android devices running 4.2 and up with Google Play Services. It's worth underscoring several times and in glowing neon text that as of the latest data available, this accounts for more than 90% of active Android devices. And on older versions of Android going back to 2010's Gingerbread release, you can enable Verify Apps under "Security" in the Google Settings app.
So of the oft-quoted "900 million" vulnerable devices, 90 percent should automatically block any app using QuadRooter. And the remaining 10 percent can be protected if they enable this security feature manually. Again, QuadRooter is exactly the kind of threat Google was thinking of when it created Verify Apps and enabled it by default back in 2012.
While you could argue that it's a last line of defense, and doesn't excuse the generally woeful state of security updates among many Android manufacturers, it is an effective way to protect the many devices Google can't reach with its monthly security patches. As we reiterate every time there's a big Android security scare: issues like this are important and serious, but often overblown when they hit the media echo chamber. Context is important. More importantly, Google's built-in security safeguards should stop QuadRooter getting anywhere near those 900 million devices.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.