Android security is still struggling.
Cyber security company Check Point this week unveiled a new set of Android vulnerabilities that affect nearly a billion devices that use Qualcomm chipsets.
The new vulnerabilities, a set of four known as “QuadRooter,” are found in the software drivers that ship with Qualcomm chipsets, Check Point said. The company said any device – including a number of top smartphone and tablet models – that use Qualcomm chipsets are at risk.
According to Check Point, an attacker who exploits any of the four vulnerabilities can gain enough privileges to root access a device. Root access means an attacker would be able to control the device and would have uncensored access to both personal and enterprise data, as well as the capability to log keystrokes, use the device’s GPS tracking and audio and video recording features.
Impacted devices include the number one and number three top-selling Android smartphones worldwide – the Samsung Galaxy S7 edge and Galaxy S7 – as well as other premium and flagship models like Google’s Nexus 6P, LG’s G5 and V10, Motorola’s Moto X and HTC’s M9 and HTC 10. Even BlackBerry’s Android-based Priv is vulnerable to the exploit, Check Point said.
But an immediate fix for this security gap will take some time.
Since the software drivers in question are pre-installed on devices during manufacture, Check Point said the exploits can only be fixed via a patch from the device’s distributor or carrier. In turn, those distributors and carriers can only issue the patches once Qualcomm sends them the fixed driver packs, Check Point said.
“This situation highlights the inherent risks in the Android security model,” Check Point wrote in its report. “Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.”
Qualcomm on Tuesday said it was notified about the QuadRooter vulnerabilities between February and April of this year and made patches available for all four exploits. The company said the fixes were made available to its customers, partners, the open source community and CodeAurora between April and July.
“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI),” a Qualcomm spokesman said. “QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities.”
Weak in the knees
Android’s weaknesses aren’t exactly new.
In February, Android earned the unenviable number two spot behind Microsoft Windows as the second most targeted operating system in 2015 in Hewlett Packard Enterprise’s Cyber Risk Report. The operating system was also the subject of the second-highest number of malware threats last year, with a total of 4.5 million. HPE said at the time the number of threats targeting Android devices had jumped 153 percent year over year.
Additionally, the Wall Street Journal in March reported encryption on Android devices significantly lagged encryption on Apple devices. According to the report, just two percent of Android users were running a version of the operating system that required encryption, compared to 95 percent of Apple devices.
A large part of the problem is fragmentation in Google’s Android ecosystem, an issue Google has been working to rectify through security and operating system updates.
According to a May report from Bloomberg, Google has been working with U.S. wireless carriers to speed the roll out of security patches by shortening the network testing timeframe. Google has also been working with Android manufacturers to follow its example and release monthly security updates.
In its April Android Security State of the Union report, Google found potentially harmful apps were installed on less than .15 percent of devices that exclusively used the Google Play app store. Further, Google found install attempts of harmful data collection apps dropped by more than 40 percent, spyware install attempts decreased by more than 60 percent and hostile downloader attempts dropped 50 percent.
Still, the situation – particularly the discovery of the Android “Stagefright” threat – has drawn the attention of the U.S. Federal Communications Commission and Federal Trade Commission. In May, both agencies reached out to U.S. wireless carriers and manufacturers to get more information on their procedures for reviewing and releasing security updates.
The FCC on Tuesday said the responses from carriers and manufacturers were submitted in time for the June deadline. The Wireless Bureau is currently reviewing the responses, the FCC said.