QuadRooter, the latest security vulnerability that affects nearly 900 million Qualcomm chipset-powered Android tablets and smartphones, is creating a panic among users.
For the uninitiated, the QuadRooter is a set of four vulnerabilities that exist in the chipset software and drivers for the Qualcomm processor. It is basically a rooting flaw that allows non-privileged apps to take advantage and take over the device. Those wondering what it means if their device is affected — you could be looking at compromised personal data.
However, the four security vulnerabilities (as identified by security firm Check Point) have already been reported to Qualcomm between February and April, which resulted in the chip maker classifying them as high risk and releasing a patch to partners and customers between April and July.
Out of the four vulnerabilities — CVE-2016-2059, CVE-2016-2503 and CVE-2016-2504 and CVE-2016-5340 — located in the different drivers, which Qualcomm provides to different OEMs, only three have been patched by Google in its August security patch.
The fourth vulnerability, CVE-2016-5340, still remains at large and open. It stays a potential threat and the rooting flaw could allow hackers with a backdoor and put Android devices with Qualcomm chipsets at risk. This vulnerability is expected to be fixed in the September security patch from Google.
However, if OEMs such as Motorola, HTC, Samsung and LG do not push out the patches individually, then the threat looms for a longer time. Even the other three vulnerabilities that Google fixed in its August security patch have not been rolled out by some OEMs such as HTC. This is evidenced by the image of the Marshmallow-powered HTC One E8 above. No updates for the handset are available.
Fortunately, the flaw allows hackers to take advantage of the vulnerabilities only if a user downloads a malicious app. Hence it is advisable not to download apps from third-party sites and only stick to the Google Play Store.
Users also have a tool at their disposal that will enable them to check if their device is potentially at risk — the QuadRooter Scanner app from Check Point.
In addition, Google has confirmed that the impending Android security patch will address the fourth flaw.
"This flaw will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided," revealed a Google representative in an email to Computerworld.
As for individual OEMs, it is not known when HTC, Samsung or LG will push out the patch from Qualcomm to address the vulnerability.