1. Download our Official Android App: Forums for Android!
  2. Download the #1 Android News App:   EarlyBird - News for Android
    'Quadrooter' flaws could give malicious apps root access to 900 million Android phones
    All Android devices powered by Qualcomm processors are susceptible to malicious attacks due to "Quadrooter" flaws. The vulnerability allows a malicious app to gain root access to the phone, giving it full control of the device and the information stored on it. All of the 2016 flagship smartphones are vulnerable to the Quadrooter flaws - even the QTEK50 which Blackberry is touting as the "most secure Android smartphone." Qualcomm has been aware of the issue and has supplied fixes to the flaws to its manufacturer partners, but there is no indication that any of them have released the fixes to their devices yet. Google has already released a fix for three of the Quadrooter flaws in previous security updates, but the final fourth flaw will not be patched until the September Android security update is released.
     
  1. palmtree5

    palmtree5 Sunny Vacation Supporter!
    Moderator
    Rank:
     #38
    Points:
    633
    Posts:
    4,538
    Joined:
    May 2, 2012

    May 2, 2012
    4,538
    3,345
    633
    Male
    Student
    USA
    Hmm, gotta wonder what percentage of those phones will never see the patches
     
  2. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,563
    Posts:
    8,802
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    8,802
    10,191
    1,563
    Male
    SysAdmin
    Huntsville, AL
    Android Central has a more more reasonable (less fear-mongering) write-up on the threat actually posed by QuadRooter.

    Threats like these tend to be initially reported by a company that stands to gain by doing so (nearly always a "security" company no one has ever heard of, but be sure to install our app to make sure you're protected!), and then the media runs amok because (a) omg that sounds scary and (b) independent research and understanding is just hard.

    In reality, the number of "vulnerable" phones is not 900 million, as the vulnerability (like many others) requires a malicious APK to be installed from outside the Play Store.

    Google was also made aware of the vulnerabilities months ago, so you can bet your butt that they've updated their malware scanners (both Bouncer for the Play Store and the Verify Apps feature mandatory on Android phones since Jellybean) accordingly.

    So actually being affected by this scary-sounding exploit would require an unwitting user to:
    1. have a device with a Qualcomm SoC (they're popular, sure, but far from the only game in town), and
    2. enable the "Unknown Sources" option buried in their phone's security settings, and
    3. accidentally download an infected APK (likely from a site offering pirated apps and games), and
    4. attempt to install said infected APK, which would most likely result in a scary warning from the Verify Apps feature letting you know that dragons be ahead and you really shouldn't do the thing you're trying to do, and
    5. install it anyway.

    Keep in mind that Google's malware detection/protection systems can be updated effectively in real-time thanks to the Google Play Services framework - with that, you can be protected from threats like these even without requiring the specific vulnerabilities to be patched.


    So sure, be careful about what apps you install and from where, but that's just common sense. There's no need to panic just because another security vendor got their exploit with a catchy name published in the news.
     
  3. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,563
    Posts:
    8,802
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    8,802
    10,191
    1,563
    Male
    SysAdmin
    Huntsville, AL
    @svim thanks for the CVE links - I was curious, but not curious enough to give Check Point my information just so I could download their whitepaper (hmm, it's almost like they're trying to sell something...).

    Also, according to Android Central Google has confirmed that all Android 4.2+ devices are already automatically protected against malicious apps seeking to exploit these vulnerabilities thanks to the Verify Apps thing:

     
  4. Guggy

    Guggy Android Enthusiast
    Rank:
    None
    Points:
    108
    Posts:
    367
    Joined:
    Sep 22, 2012

    Sep 22, 2012
    367
    167
    108
    Female
    It's probably possible to make your own security fix for your custom rom if you have one.
     

Share This Page

Loading...