What is Quadrooter?
Quadrooter, as the name suggests, is a set of four vulnerabilities affecting Android devices running on Qualcomm chipsets. So using any of these four vulnerabilities, an attacker can exploit a device by gaining root access to users’ phone. It is reported that over 900 million Android devices running on these Qualcomm chipsets. Qualcomm also launched the new Snapdragon 821 recently, which is upto 10 percent powerful than the 820.
Yes, that’s a lot of devices, and all these are affected by the ‘high’ risk privilege escalation vulnerabilities. With this, it would be easy for an attacker to trick the user into installing a malicious application. If any of these flaws are successfully exploited, then the attacker can gain root access. This would give a full access to the affected device to the attacker. This also includes all the Data, hardware like Microphone and camera.
Popular devices affected by this Vulnerability:
So as mentioned earlier, the devices running Qualcomm Chipsets are vulnerable to this attack. Google’s Nexus 5X, Nexus 6, and Nexus 6P, HTC’s One M9 and HTC 10, OnePlus One, OnePlus 2 and OnePlus 3, LG G4, LG G5, and LG V10, and Samsung’s Galaxy S7 and S7 Edge are some of those named vulnerable to one or more of the flaws. There will be more, but as of now, these are the confirmed ones. The recently launched Blackberry Dtek50, which the company claims to be the most secure Android smartphone in the world, is also vulnerable to this. According to a Qualcomm’s spokesperson, the chipmaker has fixed all of the flaws and had issued patches to customers, partners and also the open source community.
Also, most of these fixes have already gone into Android’s monthly set of security patches, which Google is rolling out early each month to its Nexus smartphone owners. So it is just about the time that other manufacturers also roll out those patches at the same time or in following days. It is expected that Google will be rolling out these fixes with the September security patch. So none of the devices will see a patch for this until next month. Note that, three out of four of these flaws have been fixed, but one is still outstanding, largely because the final patch wasn’t issued in time.
How could this happen? You ask?
If you’re wondering how such a huge security flaw could come about, it’s really down to how Android phones are manufactured. Unlike Apple’s devices, which are designed and manufactured entirely in-house, Android phones are built in two stages. Google creates the software and third-party companies – such as Qualcomm – design and build the chips and hardware. Just by outsourcing this process, Android devices are more at risk of a high-level flaw, as it’s more difficult for Google to ensure complete security.
Michael Shaulov, head of mobility product management at Check Point, told Zack Whittaker from Zero Day on the phone two weeks ago of his frustration at the challenge faced with fixing the Quadrooter flaws.
“Qualcomm has a significant position in the development chain, in that a phone maker isn’t taking the Android open-source code directly from Google, they’re actually taking it from Qualcomm,” he said.
Shaulow explained that this only complicates the patching process, which led to the delay in getting the final fix out in time to meet Check Point’s three-month period of private disclosure.
“No-one at this point has a device that’s fully secure,” he said. “That basically relates to the fact that there is some kind of issue of who fixes what between Qualcomm and Google.”
In other words, blame the complex, messy supply chain.
How to check
To check if your device is affected, you can download an application from the Play Store called the QuadRooter Scanner. It will scan your device and show the results as shown below. In our case, it shows all these vulnerabilities. This application also gives detailed information about the same. With that being said, we have to patiently wait for the September security patch from Google and then wait for the smartphone manufacturer to roll these patch out. Stay tuned for more info on this.