Another day, it seems like there’s another security scare for Android users, but as with most cases there’s no need to panic. At DEFCON24, a security conference held early this month in Las Vegas, security researchers Check Point Mobile announced a new vulnerability for Android users called Quadrooter, that potentially affects 900 million devices.
The vulnerability affects Qualcomm devices, which is where the big scary number comes from. Apparently Qualcomm devices make up around 65% of the Android device users base, with phones from most of the major manufacturers including Sony, Samsung, HTC, Motorola and of course even the Google designed Nexus series.
So, what is Quadrooter? Well, according to the CheckPoint Mobile team:
QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.
So, basically it can get root access to your device, if you are infected.
But, the good news is if you’re not into downloading apps from third-party stores and keep the ‘Install from Unknown Sources’ check box unchecked in Settings, you should be fine. Additionally, Qualcomm told ZDNET that the flaws had been fixed in patches issued to Google between April and the end of July who have added them to the monthly Android Security updates, with a final fix set to arrive in next months September update.
So if your device is receiving the monthly Android security patches, you should be fine. That said, in line with that missing fix, my Nexus 6P on the August 5th security patch is still showing as vulnerable thanks to a single CVE.
Can you also check to see if your device is vulnerable? Yes, yes you can. Check Point Mobile have of course released a QuadRooter Scanner app into Google Play which you can use to see if you have vulnerabilities that require patching. The best thing you can do for now is to wait for the patch to arrive and install it when it does, and continue to not download apps outside of Google Play.
It’s a jungle out there, but Google seems to be doing a pretty good job at keeping up to date with this stuff, so stay within Google Play and you should be fine.