Google: Android protects against three of four QuadRooter flaws

A red Android mascot

Android should already be able to block three of four QuadRooter attacks automatically, according to Google.

QuadRooter is the latest vulnerability to be found to affect the operating system, with security research firm Check Point uncovering four flaws this week that give hackers root-level access to Android devices.

However, the researchers could not find any existing exploits taking advantage of QuadRooter and Google has now said Android already protects against most of the flaws.

Its Verify Apps feature, enabled by default in all Android versions since Jelly Bean 4.2, can recognise malicious apps using QuadRooter, and block them.

A Google spokesperson told Android Central: "We appreciate Check Point's research as it helps improve the safety of the broader mobile ecosystem. Android devices with our most recent security patch level are already protected against three of these four vulnerabilities.

"The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided.

"Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these."

Google's response stresses that users would have to go out of their way to download malicious apps in order for QuadRooter to work, and disable Verify Apps to allow the download to happen.

The only Android devices really at risk are those running anything lower than Android 4.2. Cumulatively, Android versions above 4.2 account for 56 per cent of all mobile operating systems, according to NetMarketShare.

08/08/2016: 900 million Android smartphones at risk of QuadRooter hack

Hundreds of millions of Android smartphones and tablets are at risk from hackers due to a flaw in the Qualcomm chipsets that power them, researchers have found.

QuadRooter, as the issue has been named, is in fact a set of four vulnerabilities that, when exploited, allows an attacker to gain root access to the bug-afflicted device, which means that can change or remove system files and delete or add apps, as well as accessing the device's screen, camera or microphone.

Michael Shaulov, head of mobility product management at cybersecurity firm Check Point, which discovered the issues, said the vulnerabilities are not currently being exploited, but they are soon likely to be.

Speaking to BBC News, Shaulov said: "I'm pretty sure you will see these vulnerabilities being used in the next three to four months. It's always a race as to who finds the bug first, whether it's the good guys or the bad."

Check Point presented their findings at the Def Con security conference in Las Vegas.

Affected devices include:

  • Samsung Galaxy S7 and S7 Edge
  • Sony Xperia Z Ultra
  • Google Nexus 5X, 6 and 6P
  • HTC One M9 and HTC 10
  • LG G4, G5 and V10
  • Motorola Moto X
  • OnePlus One, OnePlus Two and OnePlus Three
  • BlackBerry Priv
  • Blackphone 1 and 2

Only Android devices are affected, meaning iPhones, iPads and Windows Phones and tablets are safe from this bug.

Qualcomm worked with Check Point to mitigate the issue, and patches for all four have since been issued to device manufacturers. However, as the vulnerability can only be fixed by installing a patch delivered by distributors or carriers, Check Point has developed an app, QuadRooter Scanner, that will let users check to see if they have all the relevant patches downloaded and installed.

If they are not fully patched and no update is available to address the issue, users "should call whoever sold them their phone, their operator or the manufacturer, and beg them for patches", Shaulov told BBC News.

Main image credit: Cyberhades on Flickr

Jane McCallion is ITPro's Deputy Editor, primarily covering security, storage and networking for ITPro, CloudPro and ChannelPro.

Jane joined ITPro and CloudPro in July 2012, having previously written freelance for a number of business and finance magazines. She has also covered current affairs, including the student, public sector workers and TUC protests and strikes in central London while studying a Masters in Journalism at Goldsmiths, University of London.

Prior to becoming a journalist, Jane studied Applied Languages at the University of Portsmouth.