New Android security vulnerabilities affect 900 million phones

Qualcomm chipsets used in 900 million Android phones are vulnerable to four new types of attack, a security vendor announced Sunday.

At the DEF CON hacker conference Sunday, Check Point unveiled four vulnerabilities that could give an attacker the highest level of control over a phone, often called “root.” 

Though the security soft spots use largely different methods to take over a phone, Check Point is calling the suite of attacks “QuadRooter.”

The vulnerabilities affect all versions of Android.

Qualcomm chips are used in many popular phones, including models made by Nexus, HTC, Samsung, LG and BlackBerry, and models by the security-focused BlackPhone.

The vulnerabilities can be plugged with a simple patch to a phone’s drivers, which Qualcomm has now provided. The trouble, notes Check Point, is that getting a simple patch for an Android phone is not always that simple.

“Fixes require mind-bending coordination between suppliers, manufacturers, carriers and users before patches make it from the drawing board to installation,” writes checkbox in its QuadRooter white paper.

Android phones do not use a single set of drivers. Because every manufacturer makes phones in its own subtly different way, Qualcomm cannot directly update phones. Instead, the manufacturer needs to take Qualcomm’s fix and incorporate it into its own patch. There are wildly different levels of compliance with creating these updates.

Some manufacturers produce monthly updates. But Android said there is no guarantee a manufacturer will provide a patch to any problem in a timely fashion, if ever. 

“The fragmented world of Android leaves many users exposed to risk, even with out-of-the-box devices.”