Nearly a billion Android phones and tablets are vulnerable to malware that could allow hackers “complete control of devices and access to sensitive personal and enterprise data on them,” according to Israeli cybersecurity firm Check Point.
The hacks are possible due to a series of four vulnerabilities — dubbed QuadRooter — affecting Android devices built on Qualcomm chipsets, which are found in nearly two-thirds of mobile devices. “If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device,” said the Check Point research team that discovered the problem.
Unlike most malware, which can be rooted out or at least detected by antivirus software, there’s little users can do except wait for Qualcomm to issue patches to fix the problem, according to Check Point. The vulnerabilities are in the chipset’s software drivers – the basic operating system-level programs that provide usability to the chipsets – which control communication between the chipset components.
As such, the vulnerability is on the hardware level, built into the device itself – and accessible only through software packages that update those drivers. “Pre-installed on devices at the point of manufacturing, these vulnerable drivers can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers can only issue patches after receiving fixed driver packs from Qualcomm,” according to Check Point.
With 900 million devices affected, there is no “safe” phone or brand; the list of devices affected includes some of the most popular models by Samsung, HTC, Motorola, LG and more. Among the many models affected are the LG G4, G5, and V10; Samsung Galaxy S7 and S7 Edge; Sony Xperia Z Ultra; Google Nexus 5X, 6 and 6P; and OnePlus One, 2 and 3.
Android devices, of course, are the industry foil to Apple’s ioS devices, with the Android operating system the default OS for manufacturers of devices that are not iPhones. Many iPhones and iPads contain Qualcomm chipsets as well, but because the operating system handles communications and software differently, Apple devices are not vulnerable to the hacks.
Android pitches a big tech tent, inviting manufacturers large and small to build their devices around the operating system, which allows programmers a great deal of freedom in app design (unlike Apple, which places many security and function strictures on programmers).
But according to Check Point, Android’s openness, generally considered its strength, is actually its greatest weakness. “A myriad of device models, operating system versions, and unique software modifications makes handling Android vulnerabilities a challenge,” according to the Check Point team. “The earlier these vulnerabilities are born in the supply chain, the more difficult they are to fix. The fragmented world of Android leaves many users exposed to risk, even with out-of-the-box devices.”
According to Google, which develops the Android operating system, three of the four vulnerabilities have been patched; a patch to prevent hackers from exploiting the fourth will not be available until September. Until then, said Check Point, users need to tread very carefully – installing only well-known apps, “carefully reading permission requests when installing apps, being wary of apps that ask for unusual or unnecessary permissions or that use large amounts of data or battery life, using known, trusted Wi-Fi networks” — and hope for the best.