QuadRooter: Qualcomm Chipset Vulnerability Said To Affect 900M Google Android Devices

Check Point Software Technologies (NASDAQ: CHKP) unveiled its research into QuadRooter, hosted with Scribd, a newly detected Qualcomm chipset vulnerability affecting devices running Alphabet Inc.’s (NASDAQ: GOOG, GOOGL) Google Android operating system at DEF CON 24 in Las Vegas, Nevada today.

The vulnerability is said to affect over 900 million devices running Android. Qualcomm Incorporated (NASDAQ: QCOM) manufacturers 65 percent of the world’s LTE modem baseband chipsets affected by QuadRooter, as reported by ABI Research. Qualcomm also manufacturers 80 percent of all chipsets “in the Android ecosystem.”

Qualcomm was said to have been first notified about the chipset vulnerability by Check Point in April. Industry standards under Computer Emergency Response Team Coordination Center (CERT-CC) provisions allowed for a 90-day period to give Qualcomm the opportunity produce patches and distribute them to equipment manufacturers and network carriers, before the chipset vulnerabilities were made public.

To date, Check Point reports that no evidence of nefarious activity exploiting the QuadRooter vulnerability has been observed.

Google Nexus 5X, 6 and 6P; HTC One M9 and HTC 10; BlackBerry Priv, Blackphone 1 and 2; LG G4, G5, and V10; OnePlus One, 2 and 3; New Moto X by Motorola; Samsung Galaxy S7 and S7 Edge; and Sony Xperia Z Ultra model phones are reportedly among the Android devices running Qualcomm chipsets affected by QuadRooter. This list is not exhaustive.

Unlike the threat posed from malware, such as HummingBad, as previously reported by The Inquisitr, the QuadRooter chipset vulnerability can’t be detected with security software like ZoneAlarm for home users or Check Point Mobile Threat Prevention for mobile enterprise users, though the apps are reported to “detect, alert, and protect” devices if the vulnerability is exploited.

As stated previously, no evidence of criminal activity associated with QuadRooter has been observed yet. So chances that users’ data has been compromised appear low. However, it is one deemed serious enough that Qualcomm itself labelled it as “high risk.”

Update patches for Android have reportedly been provided to device manufacturers for three of the flaws. The fourth will be included in an upcoming patch. Updates are delivered to users “over the air,” as reported by WikiHow. There is said to be a slight chance that an Android device could crash while being updated; users are advised to back up data before updating. If updates are available, they can be found under About phone (or About tablet) and System updates, in the Android Settings menu.

PC Advisor wrote in January that Google was only supporting Android versions Jelly Bean (4.1) and higher. The cut off may vary by equipment manufacturer, retailer, and wireless carrier, as each has input into the exact Android build shipped with new devices.

Users running versions of Android for which updates are not available may not have any means available of fully securing their devices from the QuadRooter chipset vulnerability.

Check Point has noted that the responsibility of ensuring the security of Android users’ data is undertaken not by Google alone, but by a “complex supply chain.” The situation results in delays deploying critical patches, such as for QuadRooter, and extended periods of time consumers are left unprotected.

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) were quoted by CNN. “There are significant delays in delivering patches to actual devices — and older devices may never be patched.”

Qualcomm, and other equipment and software producers like Apple Inc. (NASDAQ: AAPL), Google parent Alphabet, Microsoft Corporation (NASDAQ: MSFT), and HTC, as well as wireless carriers like AT&T, Inc. (NYSE: T), Verizon Communications Inc. (NYSE: VZ), and Sprint Corporation (NYSE: S) were reported to have been sent letters by the federal agencies inquiring as to the speed with which they produce patches, described as “notoriously slow” in the Apple supply chain, but that the company founded by Steve Jobs has a “better reputation” for cybersecurity than Google.

Rooting Android devices, the equivalent of jailbreaking an Apple iPhone, is said to pose unique risks, and it is recommended that the practice be avoided. Users can also decrease the likelihood of exposing themselves to malicious apps by only downloading from the Google Play Store and by only using trusted public WiFi connections.

To protect themselves from the QuadRooter Qualcomm chipset vulnerability, and all potential threats, Check Point advises that users install Android updates as soon as possible after they are made available, as well as running security apps like ZoneAlarm or Mobile Threat Prevention. The firm also advises that users refrain from installing “side-loading” apps, which can be recognized by.APK file extensions, and to carefully read and consider the permissions apps request when being installed. Unusual requests for battery or data access should be deemed suspicious and investigated.

[Image via iStock]