SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Check Point uncovers new vulnerabilities affecting millions of devices
Mon, 8th Aug 2016
FYI, this story is more than a year old

Mobile researchers from Check Point Software have found four new vulnerabilities affecting over 900 million Android smartphones and tablets.

Check Point lead mobile security researcher, Adam Donenfeld, recently revealed the vulnerabilities affecting Android devices built using the Qualcomm chipsets.

Qualcomm is the world's leading designer of LTE chipsets, with a 65% share of the LTE modem baseband market in the Android ecosystem.

According to Check Point, the set of vulnerabilities are called ‘QuadRooter'. If exploited, the vulnerabilities give attacker complete control of devices. The software company says they could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.

Check Point says the vulnerabilities are found in the software drivers Qualcomm ships with its chipsets. The estimated 900 million affected devices include these models:

  • Samsung Galaxy S7 - S7 Edge
  • Sony Xperia Z Ultra
  • Google Nexus 5X, 6 - 6P
  • HTC One M9 - HTC 10
  • LG G4, G5 - V10
  • Motorola Moto X
  • OnePlus One, 2 - 3
  • BlackBerry Priv
  • Blackphone 1 - 2

Michael Shaulov, head of head of mobility product management for Check Point says vulnerabilities like QuadRooter bring into focus the unique challenge of securing Android devices, and the data they hold.

“The supply chain is complex, which means every patch must be added to and tested on Android builds for each unique device model affected by the flaws,” says Shaulov.

“This process can take months, leaving devices vulnerable in the interim, and users are often not made aware of the risks to their data. The Android security update process is broken and needs to be fixed.

Check Point has created a free QuadRooter scanner app that's available from Google Play. The app enables Android users to find out if their device is vulnerable, and prompts them to download patches for the problem.