News broke a few days ago that 900 Million Android phones are vulnerable in a ‘quadrooter’ flaw – meaning there are FOUR ways for the phone to be ‘rooted’ or compromised.
Over 900 million Android smartphones and tablets are vulnerable to cyberattacks, as they contain a set of four vulnerabilities dubbed QuadRooter.
These flaws were found in devices that use Qualcomm chipsets, Check Point revealed at this year’s DEF CON 24 Hacking Conference in Las Vegas.
It stated that if any of the four vulnerabilities are exploited by cybercriminals, it can give them access to smartphones and tablets.
In other words, QuadRooter allows for cybercriminals to “trigger privilege escalations for the purpose of gaining root access to a device”.
“An attacker can exploit these vulnerabilities using a malicious app,” explained Adam Donenfeld, lead mobility security researcher at Check Point.
“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.”
Commenting on the news, Qualcomm, which specializes in 3G and next-generation mobile technologies, said that it was notified of the vulnerabilities earlier this year.
It responded with patches for all four of the vulnerabilities between April and July.
However, as Check Point observes, because the flaws are already present in the affected devices “at the point of manufacture”, the process for resolving the problem isn’t straightforward.
Mr. Donenfeld explained: “They can only be fixed by installing a patch from the distributor or carrier.
“Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.”
The bad news is – malware authors are putting out apps which pretend to be able to fix this serious flaw – the worse news is, they were malicious themselves, and even charged you for the privilege of downloading their malware!
Soon after the discovery of the QuadRooter vulnerability, a remedy appeared on the Google Play app store. Unfortunately, neither of the two apps named “Fix Patch QuadRooter” by Kiwiapps Ltd. would patch the Android system. Already pulled from Google Play on ESET’s notice, these apps were malicious, serving their victims with unwanted ads. On top of that, one of them required payment (costing 0.99 EUR).
The lesson here is clear – if an app is available to patch your phone, it will come from the phone manufacturer, or your mobile phone company – it will NOT come as a ‘patch app’ through any of the app-stores you might regularly buy apps from.