Google confirms 'Verify Apps' can block apps using QuadRooter vulnerabilities

By Alex Dobie
last updated

QuadRooter is the latest big Android security scare — a collection of 4 vulnerabilities in Qualcomm-based Android gadgets that could allow a malicious app to gain root access, allowing it to do basically anything on an affected device.

Unlike last year's Stagefright exploits, QuadRooter needs to be delivered in the form of an app, meaning you'd have to enable "Unknown Sources" and manually install an app from somewhere nefarious in order to become infected. However Android's "Verify Apps" feature, included in Google Play Services and enabled by default almost four years ago in Android 4.2 Jelly Bean, is designed to protect against exactly this sort of thing.

And now we have confirmation from Google that, as expected, Verify Apps can identify and block apps using QuadRooter. A Google spokesperson gave Android Central the following statement. (Emphasis ours.)

"We appreciate Check Point's research as it helps improve the safety of the broader mobile ecosystem. Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided. Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these."

Verify Apps is on by default in Android 4.2 and up, which accounts for 90% of active Android devices.

While devices are technically still "vulnerable" even with Verify Apps, users would have to manually disable yet another security feature to be affected. Apps using an exploit as serious as QuadRooter would likely be roadblocked completely by Verify Apps — Android would display an "Installation has been blocked" message with no option to ignore and install anyway. (As opposed to the less serious "Installing this app may harm your device" message, which allows a click-through.)

This should happen on all Android devices running 4.2 and up with Google Play Services. It's worth underscoring several times and in glowing neon text that as of the latest data available, this accounts for more than 90% of active Android devices (opens in new tab). And on older versions of Android going back to 2010's Gingerbread release, you can enable Verify Apps under "Security" in the Google Settings app.

QuadRooter is exactly the kind of threat Google had in mind when it created this extra layer of security.

So of the oft-quoted "900 million" vulnerable devices, 90 percent should automatically block any app using QuadRooter. And the remaining 10 percent can be protected if they enable this security feature manually. Again, QuadRooter is exactly the kind of threat Google was thinking of when it created Verify Apps and enabled it by default back in 2012.

While you could argue that it's a last line of defense, and doesn't excuse the generally woeful state of security updates among many Android manufacturers, it is an effective way to protect the many devices Google can't reach with its monthly security patches. As we reiterate every time there's a big Android security scare: issues like this are important and serious, but often overblown when they hit the media echo chamber. Context is important. More importantly, Google's built-in security safeguards should stop QuadRooter getting anywhere near those 900 million devices.

MORE: Top 5 things to know about the 'QuadRooter' Android security scare

Alex Dobie
Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.

23 Comments
  • Noob question but is this a Qualcomm problem or a Qualcomm/Android problem so Samsung Exynos and Mediatek SOC are unaffected? Posted via the Android Central App (V10 or Nexus 5x)
  • It's a problem with some Qualcomm drivers, so Exynos & Mediatek devices aren't susceptible to the Quadrooter exploit. Posted via the Android Central App
  • Thanks. Posted via the Android Central App
  • So on a nexus 6P where did the verify apps setting go? I don't see it in the security menu. Found a suggestion that it only appears if you are using unknown sources but I've been turning on unknown sources to get amazon prime so I know I have sideloaded apps too.
  • I was wondering the same thing for my Nexus 6. I do have the Nougat beta, so I was wondering if it was removed as an option or moved to a different menu.
  • On my Nexus 6P, it's under Settings/Google/Security/Verify Apps.
  • ^THIS^ Google Nexus 6P
  • Thanks man, nice to know where it moved to.
  • It is in the Google Settings. Go to your phone settings then go to Google then Security. And check all under verify apps.
  • Now shi*ty websites like the BBC, WSJ etc needs to update their fear mongering articles From my basement in Senegal
  • They won't update that click bait, it's making them money.
  • I heard Pokemon Go uses this exploit and now some guy is tracking everyone from a basement in Senegal.
  • So how does verify apps know to block these dangerous apps?
  • Magic Posted via Techmology
  • By verifying it? Google Nexus 6P
  • Google-- The Great and Powerful Oz I don't know, I don't have the option on my N6, don't know how it can be on a 6P if we all use marshmallow. Still trying to find out
  • The only time I install apps from "unknown sources" is when Amazon Video needs an update. If Jeff Bezos did the right thing and allowed Amazon Video to be on Google Play, I'd wager fewer people would be susceptible to such exploits. Another good move would be for more device manufacturers to do what Samsung and some others do and include an option to automatically disable the unknown sources option once the app has been installed. Posted via the Android Central App
  • Have to agree how many had to turn off this security feature to install Amazon video app? All because Bozo refuses to play nice with Google Play
  • I install one outside app. Adaway. After that I turn that setting back on.
  • I have AVG Pro installed on my phone so if I forget to turn off unknown sources, it let's me know Posted via the Android Central App
  • I need that wallpaper Pimp lol Posted via the Android Central App running on my Galaxy S7
  • Qualcomm has really dropped the ball lately. First with their chips (810/808) and now these exploits. Come on Qualcomm, get it together. 
  • Here is one example of someone who experienced "auto-rooting" malware. There are several versions of this alone, not to mention tons of other malware that affects unpatched devices. Often people here, including the author's, forget about the millions of users worldwide, who don't have Google services. Most western users are largely protected, but not completely. So, check this out to see just how difficult it is to remove some malware, which factory resets are useless.
    https://discuss.howtogeek.com/t/android-tablet-malware/47827 Posted via the Android Central App