Four vulnerabilities relating to Qualcomm chipsets used by an estimated 900 million Android smartphones and tablets could each be exploited to seize control of devices and steal any data they store, warns Israeli cybersecurity firm Check Point.
See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016
Devices from numerous manufacturers - including Samsung, HTC, Motorola and LG - are reportedly at risk from the flaws, which exist in chipset-related code created by Qualcomm.
"If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device," Check Point warns in a related research report into the flaws, which it's dubbed "Quadrooter."
Researchers from Check Point, who first detailed their findings on Aug. 7 at the Def Con conference in Las Vegas, say that an attacker could exploit the flaws by sneaking a malicious app onto a user's device, and that the vulnerabilities could be exploited without requiring users to grant them any special permissions, thus masking the attack.
Neither Google nor Qualcomm immediately responded to a request for comment about the flaws or related fixes.
Qualcomm controlled 65 percent of the world's 4G/LTE chipset market in 2015, compared with Samsung, which controlled 12 percent market share - largely due to the tech giant building its own chips for Galaxy S6, Galaxy S6 edge, and Galaxy Note5 devices - according to market researcher ABI Research.
Check Point says it alerted both Qualcomm and Google to the flaws in April, and that Qualcomm has pushed patches for its chipsets. Google, meanwhile, has said that any Android user who's downloaded the July security update for Android will be protected against three of the four flaws.
Still, many Android users may have to wait months - or longer - for their device manufacturers or cellular providers to release fixes that will work on the customized versions of Android that run their devices (see FTC, FCC Launch Mobile Security Inquiries).
"Fixes require mind-bending coordination between suppliers, manufacturers, carriers and users before patches make it from the drawing board to installation," Check Point notes in its report. "The fragmented world of Android leaves many users exposed to risk, even with out-of-the-box devices."
Qualcomm Chipset Code: Four Flaws
Check Point says the flaws it discovered involve a vulnerability in a Qualcomm-built kernel module, called ipc_router, that allows various Qualcomm components to communicate (CVE-2016-2059); a vulnerability in Ashmem - Android's propriety memory allocation subsystem (CVE-2016-5340); and two different flaws in Android's kernel graphics support layer driver (CVE-2016-2503, CVE-2016-2504).
"Preinstalled on devices at the point of manufacturing, these vulnerable drivers can only be fixed by installing a patch from the distributor or carrier," Check Point says. "Distributors and carriers can only issue patches after receiving fixed driver packs from Qualcomm."
Alex Gantman, the Qualcomm Product Security Initiative vice president of engineering, says that his company has released patches that fix the flaws. "I take pride in our collaborative relationship with security researchers and I am always appreciative of community's efforts to help us harden our products," he told Financial Times.
Now Manufacturers Must Patch
Now, it's up to affected manufacturers and mobile phone providers to create fixes for customers and subscribers. Via Check Point, here's a partial list of vulnerable devices:
BlackBerry Priv; Blackphone 1 and 2; Google Nexus 5X, 6 and 6P; HTC One M9 and HTC 10; LG G4, G5, and V10; New Moto X by Motorola; OnePlus One, 2 and 3; Samsung Galaxy S7 and S7 Edge; Sony Xperia Z Ultra.Check Point has also released a free QuadRooter Scanner app via Google Play designed to scan for the presence of any of the four flaws it found.
Ongoing Threat: Malicious Apps
A Google spokesman attempted to downplay any risks relating to the four flaws, telling Financial Times that the flaw would require attackers to sneak a malicious app onto a target's smartphone or tablet. "Exploitation of these issues depends on users also downloading and installing a malicious application," Google said. "Our Verify apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these."
But app stores - from Google, Apple, or any other provider - aren't immune to attackers sneaking in malicious apps (see Apple Battles App Store Malware Outbreak). Plus, while Google says it's built strong security controls into its app store - Google Play - not all parts of the world enjoy full access to the site, thus driving users to seek less-secure alternatives. In China, for example, users reportedly can only access free apps, rather than paid apps, on Google Play. Not coincidentally, many attackers repackage legitimate, popular Android apps, oftentimes creating "free" Trojanized versions designed to sneak adware onto users' devices.
In July, Check Point reported that a single Chinese cybercrime group - associated with China-based mobile ad server company Yingmob - was earning $300,000 per month via such attacks, and controlled 10 million infected Android devices around the world (see Android Trojanized Adware 'Shedun' Infections Surge).