Skip to main content

QuadRooter vulnerability: 5 things to know about this Android security scare

Once again, it's Android security scare season. This morning news broke of the latest collection of vulnerabilities, discovered by security firm Check Point and grouped together under the catchy monicker "QuadRooter." As usual, most of the reporting has focused on worst-case scenarios and a shockingly huge number of potentially vulnerable devices — in this case, an estimated 900 million.

We're going to break down exactly what's going on, and just how vulnerable you're likely to be. Read on.

1. It's a Qualcomm thing

Check Point specifically targeted Qualcomm due to its dominant position in the Android ecosystem. Because so many Android phones use Qualcomm hardware, the drivers Qualcomm contributes to the software on these phones make for an attractive target — a single set of vulnerabilities affecting a large proportion of the Android user base. (Specifically, the bugs affect networking, graphics and memory allocation code.)

Qualcomm's drivers are a big, attractive target.

All four of the exploits that make up QuadRooter affect Qualcomm drivers, so if you have a phone that uses no Qualcomm hardware at all — for example, a Galaxy S6 or Note 5 (which uses Samsung's own Exynos processor and Shannon modem), you're not affected by this.

2. It's serious, but there's no evidence of it being used in the wild

As the name suggests, QuadRoot is a collection of four exploits in Qualcomm's code which could allow a malicious app to gain root privileges — i.e. access to do basically anything on your phone. From there, you can dream up any number of nightmare scenarios: attackers listening in on phone calls, spying through your camera, pilfering financial details or locking down your data with ransomware.

No-one's talking about these exploits being used in the wild yet, which is a good thing. (Check Point estimates that the bad guys will have it packaged into functioning malware within three or four months.) However given the challenges involved in updating the software on the billion-plus Android devices out there, malware creators will have plenty of time to figure out a practical application.

But...

3. Chances are you're not actually "vulnerable"

QuadRooter is one of the many Android security issues that requires you to manually install an app. That means manually going into Security settings and toggling the "Unknown Sources" checkbox.

Any vuln which requires you to manually install an app runs into two major roadblocks: The Play Store, and Android's built-in "Verify Apps" feature.

Given that Check Point first disclosed the vulnerabilities back in April, Google has almost certainly been scanning Play Store apps for these exploits for quite some time. That means you'll be fine if, like most people, you only download apps from the Play Store.

And even if you don't, Android's "Verify Apps" feature is designed to act as an additional layer of protection, scanning apps from third-party sources for known malware before you install. This feature is enabled by default in all Android versions since 2012's 4.2 Jelly Bean, and because it's part of Google Play Services, it's always updating. As of the most recent stats available, more than 90 percent of active Android devices are running version 4.2 or later.

We don't have explicit confirmation from Google that "Verify Apps" is scanning for QuadRooter, but given that Google was informed months ago, chances are it is. And if it is, Android will identify any QuadRooter-harboring app as harmful and show a big scary warning screen before letting you get anywhere near installing it.

Update: Google has confirmed that Verify Apps can detect and block QuadRooter.

In that case, are you still "vulnerable?" Well technically. You could conceivably go to Security settings, enable Unknown Sources, then ignore the full-screen warning that you're about to install malware and disable yet another security setting elsewhere. But at that point, to a large extent, it's on you.

4. Android security is hard, even with monthly patches

One interesting aspect of the QuadRooter saga is what it shows us about the Android security challenges that still remain, even in a world of monthly security patches. Three of the four vulnerabilities are fixed in the latest August 2016 patches, but one has apparently slipped through the cracks and won't be fixed until the September patch. That's cause for legitimate concern given that disclosure happened back in April.

However, a Qualcomm rep told ZDNet that the chipmaker had been issuing patches of its own to manufacturers between April and July, so it's possible certain models may have been updated outside of the Google patching mechanism. This only underscores the confusion involved with having an explicit patch level from Google, while device manufacturers and component makers are also providing security fixes.

Most Android phone makers suck at issuing security patches. And even up-to-date devices won't be fully patched for another month.

For now, the only way to know if your phone is theoretically vulnerable is to download Check Point's QuadRoot scanner app (opens in new tab) from the Play Store.

Even once patches are issued, they need to go through device manufacturers and carriers before being pushed out to phones. And although some companies like Samsung, BlackBerry and (naturally) Google have been quick about making sure the latest patches are available, most of the folks making Android devices are nowhere near as timely — especially when it comes to older or lower-priced phones.

QuadRooter underscores how the ubiquity of Qualcomm-based Android devices makes them an attractive target, while the variety of hardware as a whole makes updating all of them near impossible.

5. We've been here before

  • Catchy marketing name? Check.
  • Big scary number of "vulnerable" devices? Check.
  • Free detection app peddled by security company with a product to sell? Check.
  • No evidence of use in the wild? Check.
  • Press at large ignoring the Play Store and Verify Apps as a roadblock against app-based exploits? Check.

It's the same dance we do every year around security conference time. In 2014 it was Fake ID. In 2015, it was Stagefright. Unfortunately, understanding of Android security issues in the media at large has remained woeful, and that means figures like the "900 million" affected bounce around the echo chamber without context.

If you're being smart about the apps you install, there's not much reason to worry about. And even if you're not, chances are Play Services and Verify Apps will have your back.

MORE: Android Malware — should you be worried?

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.

96 Comments
  • Ugh... Another one. Has anybody on here even experienced any kind of trouble from one of these scares? Posted with my awesome Gold S6 Edge+
  • Well at least the name isn't quite so stupid this time... But, how would people know? Most malware doesn't actually flash up a skull and crossbones with a large red message saying "U H4V3 B33N H4CK3D!1!", It just sits there in the background doing its thing and trying not to be noticed. Posted via the Android Central App
  • I jus wanna know, WHAT DOES JERRY THINK? What would he do? C'mon, @jerryhildebrand!
  • Anything that involves someone else touching my phone or me installing it and saying it's OK for it to run isn't malware. It's stupidware. Lock your shit up tight. Only install stuff if you know what it is. Buy phones from vendors who patch you against true online exploits that require no user interaction. Then ignore this sort of shit. I am. :)
  • Yes! Letting others play with your phone is right up there with sideloading apps in my view..
  • No.
  • Apparently a friend of mine who was using a super old S3 or something like that got his phone wiped or bricked by the Stagefright thing.
  • This is the beginning of the banking virus. Everyone pay attention. If you hear on a Friday, that you cannot use your bank account (withdrawals online banking, etc. ) Because there is a virus in the banking system servers (that they will have everything under control on the following Monday.) You have 72 hours to hug your loved ones, get to your guns, make piece with your god(s!) The theory is: They plan to roll out Marshal Law. The Snipers shootings are to create a case for removing all high powered guns from your hands as a citizen. Therefore you will have nothing that will penetrate armor.
    Just a theory that is already well known and all over the web. I'm just an information junky. Call me a conspiracy nut. But you have been armed with the same info..
    Good Luck. Everone can think I am a lunatic all they want. I have been waiting to see these kind of reports.
  • i am not worried about malware as long as you install from play store and install apps only from a reputable developer
  • So with this exploit, someone can listen in on your conversations and read your messages? Like NSA does? I'm not worried, one more person reading the shopping lists I exchange with my wife is not going to be the end of the world LOL Posted via the Android Central App
  • As much as I hate to say it this is where Apple has Android beat. Security and updates.
  • Or at least, that's what they'd have us believe... Posted via the Android Central App
  • Android's plenty secure unless you voluntarily turn off the built in protections. The update models are completely different so it's difficult to compare the two platforms.
  • My 1996 At&t wired lanline phone has Apple and Android phones beat in security hands down, but I don't use it because it is too restricted compared to a cellphone. Just like I don't use iOS products because they are too restricted compared to most Android devices. Posted via the Android Central App
  • ^
    | Good comment right here Posted via the Android Central App
  • Lmao Posted via the Android Central App (V10 or Nexus 5x)
  • Lol, very good point.
  • It's only an issue if you decide to sideload stuff which most normal users probably don't even know you can. Then you have to be frequenting some pretty shady sites in order to even get the apk that contains the malware. There is a reason 900 million phones may be affected yet no evidence of anyone's phone actually being infected.
  • I'm wondering, I never sideload apps regularly. I have installed showbox and kodi though and that's it, ever. I used the app and it detected both vunerabities. So if that's the case it MUST be either showbox or kodi.. But my phone flies and still acts no different. Nexus 6. Posted via the Android Central App
  • You're confusing cause and effect. The vulnerabilities exist regardless of the apps, so even if you had never installed them, the vulnerabilities would be reported. If you can, patch your phone with the latest security update (August) which will go some way towards protecting your phone. You'll have to wait until September before it is fully patched and secure against Quadrooter vulnerabilities.
  • How does Apple have Android beat on security? There are zero reported cases of infections. How do you beat zero infections?
  • 900 million is the wrong number.
    Let's instead count the number of active snapdragon powered devices that are not yet updated to Kit Kat, haven't received a security update since at least June and are physically in the hands of sophisticated criminals that are using this set of exploits on a rooted and unlocked device, without the owner being aware of the fact that the device is missing. Oh wait, if you have unrestricted physical access to someone's device and it's unlocked and rooted ... YOU DON'T NEED AN EXPLOIT! This is pointless. All vulnerabilities that require physical access to the device (3 of the 4 here) are ignoring the fact that you already have physical access to the device and therefore wouldn't need an exploit.
  • With -1 infections? Lol
  • Android actively protects. Google is proactive, Apple is reactive.. Android is far and wide more secure than iOS. (assuming both are on their current versions). Posted via Techmology
  • Keep telling yourself lies like that and you'll start to believe them :D. You all know damn well Google isn't proactive when it comes to security. Hell, they're even trying to compromise it further with nougat on the horizon. Fragmentation, lack of hardware requirements, and lackluster OEM contribution make Android the LEAST secure mobile OS by far. It's not even close..... Posted via the Android Central App
  • Google's pays out thousands to the community to find vulnerabilities.. Apple does not. Apple is a false sense of security. Posted via Techmology
  • Ummm.... https://www.wired.com/2016/08/apples-finally-offering-bug-bounties-highe... Posted via the Android Central App
  • ASSUMING. Most iOS devices going back several generations receive updates directly from Apple.
    A huge number of Android devices, however, do not receive updates from the handset manufacturers. It's a constant gripe of many savvy users. I've no doubt that things will improve, but handset manufacturers are more interested in earning $$$ than spending $$$ to keep older handsets secure.
  • Yes, assuming. Not talking about old versions. Posted via Techmology
  • Both are fair, apple devices receives regular updates, also google ONLY products regualr updates, the other manufactirers, lets say that they are excempted cause iOS has no partners. So in general both receives updates regularly
  • I strongly disagree. Android lacks standardization as compared to Apple who has reliability along with consistency with what you get with them in terms of security.
  • I disagree with your disagreement. Nexus is standardized and are the safest phones you can use. (and Blackberry, Black Phone) Posted via Techmology
  • Jennifer Lawrence has some photos she'd like to talk to you about.
  • And dozens of other celebrities.. Lol Posted via Techmology
  • Except she and other celebrities accounts weren't hacked in name and iCloud wasn't hacked nor any other Apple service during The Fappening. That was user error in weak passwords. Nice try though Posted via the Android Central App
  • And a service that allowed an outside bit of code to continuously try passwords until it was granted access. At least that what Apple actually patched after they said it was user error.
  • And yet, whole iPhones brick during simple software upgrades...yeah about as secure as a leaky dam Posted via the Android Central App
  • I remember when Nexus devices were becoming bricked during updates. Remember that? Just like that, that happens increasingly rare to warrant news Posted via the Android Central App
  • Stagefright 2016?
  • Sounds about right, stagefright, the over hyped security non-issue that has yet to effect any of my outdated devices. Come to think about it, I haven't had any apps download in the background and try to trick me into enabling unknown sources for a few months now either. Posted via the Android Central App
  • For a few months? Sounds encouraging!
  • http://forums.androidcentral.com/general-news-discussion/709130-let-s-ta...
  • Great another issue, 4 issues found with my phone, on security patch 1,1,2016 so does not surprise me, Vodafone coverage great, phones never ever again will I buy a branded phone from you!!! Posted via the Android Central App
  • Relax.. Nothing happened. Nothing ever happened. It's all click bait and talking points. Posted via Techmology
  • Maybe someone will be able to exploit Quadrooter into a means for users to root their devices without including malware. I'd love to get some more of my devices rooted. Posted via the Android Central App
  • Any recommendation on a good Antivirus to detect and remove malware? I got a full screen nude pic pop up on my screen saying someone would like to share their pic with me. I don't watch my porn ON MY PHONE. Posted via the Android Central App
  • I had that happen on my note 3. I ended up doing a factory reset because I couldn't figure out which app was doing it.
  • Step 1. Don't use any Antivirus.
    Step 2. Download CCleaner and clean your temp files, cookies, etc.
    Step 3. Read articles in their entirety and don't jump to conclusions. Posted via Techmology
  • 1. Agree.
    2. SD Maid is good too.
    3. Read random words and make up your own story. Much more fun...
  • #3 BAHAHAHA
  • Thanks for the suggestion. And just so you know, I read the entire article and I wasn't implying that the malware discussed here was due to porn. Posted via the Android Central App
  • View porn in incognito mode.. For reasons.. Posted via Techmology
  • Don't use Anti virus or RAM cleaners Posted via the Android Central App
  • Glad I have an Exynos.
  • If US folks can buy a Exynos Note 7 I'm in.
  • Too bad they waste these nice exploits on malware and not on helping people root their devices without intent to cause harm.
  • Fear mongering = big business potentially. So who stand to gain by always finding these "exploits"? Posted via the Android Central App
  • That that was what the checklist in the article was inferring. It's not like these are some benevolent non-profit security research groups.
  • Google pays out hefty sums to those who find and report vulnerabilities. Google allows Android to be scrutinized and picked apart so they can make it better... The competition, not so much.. They're too arrogant so they're always doing damage control. Posted via Techmology
  • CVE – 2016 – 2503 – Already in Google's July security patch, requires physical access to unlocked device.
    CVE – 2016 – 2504 – Already in Google's August security patch, requires physical access to rooted device
    CVE – 2016 – 2059 – requires physical access to device
    CVE – 2016 – 5340 – requires root Devices with processors shipped after April should not be impacted. Lesson, don't root your phone, turn off all the security features and then hand it to a bad person.
  • What after April security patch your okay??? My Moto X 2nd Gen is on May security patch is it fine?? Posted from my Moto X 2nd gen and my Nexus 9 both on Android Marshmallow
  • No, if your processor was shipped to the OEM after April 2016 you would be fine. If your Moto X 2nd Gen is on May, it's still theoretically vulnerable until you have at least the July security patch, which kills 2503. August patch kills 2504 and 5340 will be killed in September's patch. The thing that makes your phone fine is if you haven't a) rooted it, b) left it without any lockscreen security c) have enabled third party installations d) have had your device physically in the hands of sophisticated criminals who were using these exploits to access your stuff. But if that were true, they wouldn't need the exploits because they'd have the device... so you're fine.
  • So if I have two of those exploits on my nexus 6,should I download the app and do as it instructs to download patch or whatever. Cause it shows I have the exploits. Nexus 6. Up to date. Posted via the Android Central App
  • I'm using am S6 as my daily so I'm guessing I'm safe? Now my Nexus 6 on the other hand LoL Posted via the Android Central App
  • Quick, go make root software using the exploit so that root can be had on a lot of devices.....
  • August 10th and still no monthly security patch. Good thing I have this Nexus enrolled in the Beta program...
  • "Free detection app peddled by security company with a product to sell? Check." It is possible that if it weren't for CheckPoint and their software then this vulnerability would still be undetected. I don't know why you would try to make CheckPoint out to be the bad guy in this scenario. Nothing they stated in their blog was absurd, of course they are going to recommend using their product just like you would recommend someone looking at your site over another tech blog.
  • AC forgot to tie this into Pokemon Go. Opportunity missed.
  • Okay so here's the problem you download the app that they want you to download and of course it shows that you're affected then they want you to download another one and down the rabbit hole we go. I guess i just exposed myself for even trying.
  • Security software vendor tries to sell you security software. Egads!
  • That's what I'm wondering Posted via the Android Central App
  • So today's news is... almost 1billion Android phones at risk! Quick toss your Galaxy and go buy an iPhone, also cupping is a total miracle, just ask Michael Phelps. Posted via the Android Central App
  • Cupping! Lol....kinda like spooning but not really.....:)
  • Then why does my Note 5 have a Qualcomm sticker on the top?
  • Another pointless security company trying to gain publicity Posted via the Android Central App
  • Maybe, but I think it is really poor not to have a media response from Google and major manufactures stating when a fix will be delivered. This is the problem with Android. The who update process is messed up. In the US networks need to be out of the loop delivering fixes. They are just an complete unnecessary part of the update process.
  • Google provides a media response each month that hardly anyone bothers to read. I know because I tell everyone about it each month, then check how many people looked at it. I'm still going to keep telling those who listen, though :)
  • Even Ars Technica went the scare route on this one. Usually they're pretty analytical. It was Ars UK tho, a decided step down in quality. Nice to see a realistic viewpoint Posted via the Android Central App
  • mediatek ftw Posted via the Android Central App
  • It is really sad that AC is the only place that EVER deals with this FUD in a sensible manner. It's come so that I completely ignore ZDNet, Cnet and the "technology" sections of any major online publication (especially Forbes). I have been using Android since the HTC Inspire and have NEVER had my phone compromised. And by that I mean, no ransomware, no money suddenly missing from accounts or charges on credit cards I don't recognize. No malicious activity of any kind. For the record I do not side load apps but only download from the Play Store website and usually only the most popular apps (high number of installs). My AT&T LG G4 has the July 2016 patch.
  • Nobody has. They're always hypothetical vulnerabilities when you hear about Android. But when you hear about iOS, they're always actual treats that affected many people, and Apple's aware of it and a patch is rolling out in the next update. Posted via Techmology
  • I was under the impression that when you root a phone it automatically wipes your device (factory reset). If this is the case then do we actually have anything to worry about? Or am I missing something?
  • Quick question. If a malicious app does somehow slip through the cracks and land on the Play Store, does Google have a remote kill switch that uninstalls the app from devices that installed it when it's removed from the Play Store? Posted via my Nexus 5X or Pixel C
  • Don't be too sure that google store isn't the author of the malicious app to begin with.
  • HOW DOES THIS EFFECT MY POKEMON GO EXPERIENCE? Posted via the Android Central App
  • Haha Posted via the Android Central App
  • users IRL won't read any of this. co workers think Android equals viruses F*CK POKEMON!
  • I think the reason these get so much play is that it took a lot of scrolling to find how the exploit actually works. Not sure if it's intentional, but this "QuadRooter is one of the many Android security issues that requires you to manually install an app. That means manually going into Security settings and toggling the "Unknown Sources" checkbox." should've been in the first few lines of the article.
  • Happy for my Exynos! Posted via the Android Central App
  • It has zone alarm written all over it ... Another scare campaign for the books Posted via the Android Central App
  • Check Point are the company behind ZoneAlarm. Of course they're going to try and sell it via this collection of vulnerabilities. Posted via my Nexus 5X or Pixel C
  • Quadrooter scanner has found 4 vulnerabilities (CVE-2016-2059/2503/2504/5340) on my Galaxy Note 3 N9005.
    I pressed the button saying "Get ZoneAlarm Protection" then installed the software. Then, scanned again with that one. It's found those vulnerabilities as well. Now it is telling me that my device is rooted. Oh, do they think, I will use a device without root and without custom rom especially without Xposed installer? Then, there is no point of using a smartphone. The day I put my hands on the Note 7, I will root it. I don't like ads on my smartphone. I already have enough ads on the TV and PC. There are endless possibilities you can do with your rooted smartphone. I better give up my phone, than those possibilities. If my phone is already rooted, why ZoneAlarm doesn't go in the system and do something? Patch it, delete something, just fix the bloody problem... By the way on the other tab of the ZoneAlarm, it says; "You are at risk!" and "All your Apps are safe to use."
    So?!$%&
  • This is the beginning of the banking virus. Everyone pay attention. If you hear on a Friday, that you cannot use your bank account (withdrawals online banking, etc. ) Because there is a virus in the banking system servers (that they will have everything under control on the following Monday.) You have 72 hours to hug your loved ones, get to your guns, make piece with your god(s!) The theory is: They plan to roll out Marshal Law. The Snipers shootings are to create a case for removing all high powered guns from your hands as a citizen. Therefore you will have nothing that will penetrate armor.
    Just a theory that is already well known and all over the web. I'm just an information junky. Call me a conspiracy nut. But you have been armed with the same info..
    Good Luck. Everyone can think I am a lunatic all they want. I have been waiting to see these kind of reports.
  • And this has something to do with QuadRooter how? Posted via my Nexus 5X or Pixel C
  • Nah, We all agree. You are a FRUITCAKE
  • I will still argue that all phone makers should offer you 2 choices. Stock Android or their bloated version of Android. Though you can't do much with iOS at least you know what you're getting.