Android devices with Qualcomm chips contain serious vulnerability
A security company has found four serious vulnerabilities in Qualcomm’s drivers for Android that allow a malicious app to take over a device. There is no patch for one of the four vulnerabilities yet.
Security firm Check Point has dubbed the bundle of vulnerabilities QuadRooter and presented details about it at the Def Con conference Sunday. The company has released an Android app that allows users to check if their device is vulnerable.
According to the company, “hundreds of millions” of devices are at risk, including recent smartphones. The vulnerabilities are contained in the driver for Qualcomm chipsets and can be exploited by developing a malicious app that allows an attacker with elevated privileges to access devices and completely take over those systems. Such an app does not require any special permission to exploit the vulnerabilities.
The components that are vulnerable include the ipc_router, which handles communication between Qualcomm components, and ashmem, Android’s memory allocation subsystem. In addition, there are exploitable flaws in the gpu kernel drivers kgsl and kgls_sync.
Check Point warned Qualcomm in April, after which the manufacturer developed and released patches for device manufacturers. Three of the four issues have been resolved with the latest security update from Google, which at least eliminates the risk for Nexus devices. Many manufacturers base their security updates on those of Google, so that updates are now available for many other devices.
No patch is yet available for the fourth vulnerability. Google will publish it in September. Since Qualcomm itself has released the code to manufacturers, it is possible that they develop patches themselves, but this is not certain. Check Point has criticized the unclear security update policy regarding Android. This has been criticized for some time, partly because of the serious Stagefright vulnerability. Stagefright prompted Google to start the monthly patch round. Samsung, LG and Sony, among others, are trying to bring those updates to users as quickly as possible.