QuadRooter is the latest big Android security scare — a collection of 4 vulnerabilities in Qualcomm-based Android gadgets that could allow a malicious app to gain root access, allowing it to do basically anything on an affected device.
Unlike last year's Stagefright exploits, QuadRooter needs to be delivered in the form of an app, meaning you'd have to enable "Unknown Sources" and manually install an app from somewhere nefarious in order to become infected. However Android's "Verify Apps" feature, included in Google Play Services and enabled by default almost four years ago in Android 4.2 Jelly Bean, is designed to protect against exactly this sort of thing.
And now we have confirmation from Google that, as expected, Verify Apps can identify and block apps using QuadRooter. A Google spokesperson gave Android Central the following statement. (Emphasis ours.)
"We appreciate Check Point's research as it helps improve the safety of the broader mobile ecosystem. Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided. Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these."
Verify Apps is on by default in Android 4.2 and up, which accounts for 90% of active Android devices.
While devices are technically still "vulnerable" even with Verify Apps, users would have to manually disable yet another security feature to be affected. Apps using an exploit as serious as QuadRooter would likely be roadblocked completely by Verify Apps — Android would display an "Installation has been blocked" message with no option to ignore and install anyway. (As opposed to the less serious "Installing this app may harm your device" message, which allows a click-through.)
This should happen on all Android devices running 4.2 and up with Google Play Services. It's worth underscoring several times and in glowing neon text that as of the latest data available, this accounts for more than 90% of active Android devices. And on older versions of Android going back to 2010's Gingerbread release, you can enable Verify Apps under "Security" in the Google Settings app.
QuadRooter is exactly the kind of threat Google had in mind when it created this extra layer of security.
So of the oft-quoted "900 million" vulnerable devices, 90 percent should automatically block any app using QuadRooter. And the remaining 10 percent can be protected if they enable this security feature manually. Again, QuadRooter is exactly the kind of threat Google was thinking of when it created Verify Apps and enabled it by default back in 2012.
While you could argue that it's a last line of defense, and doesn't excuse the generally woeful state of security updates among many Android manufacturers, it is an effective way to protect the many devices Google can't reach with its monthly security patches. As we reiterate every time there's a big Android security scare: issues like this are important and serious, but often overblown when they hit the media echo chamber. Context is important. More importantly, Google's built-in security safeguards should stop QuadRooter getting anywhere near those 900 million devices.