Android smartphones vulnerable to critical security flaws via Qualcomm chipsets

Check Point warning over chipset vulnerabilities affecting almost one billion Android devices

Check Point Software claims to have unearthed four new Android vulnerabilities affecting as many as 900 million devices - and the vast majority of the devices are unlikely to ever be patched.

The vulnerabilities affect any device based on Qualcomm chipsets. Check Point unveiled its research at the Defcon hacking conference in Las Vegas, Nevada.

Check Point has plenty to say about Quadrooter, as well as providing a check list of devices affected.

These include the latest Samsung Galaxy S7 and Samsung S7 Edge; Sony Xperia Z Ultra; Google Nexus 5X, Nexus 6 and Nexus 6P; the supposedly secure Blackphone 1 and Blackphone 2, HTC's One, M9 and 10; the LG G4, G5 and V10; the new Motorola Moto X; and the BlackBerry Priv.

"QuadRooter is a set of four vulnerabilities affecting Android devices that are built on the Qualcomm chipset, a supplier of 80 per cent of the chipsets in the Android ecosystem," warns Check Point.

It continues: "If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device, enabling them to change or remove system-level files, delete or add apps, and access the device's screen, camera or microphone.

"The vulnerabilities are found in the software drivers Qualcomm ships with its chipsets. An attacker can exploit these vulnerabilities using a malicious app to trigger privilege escalations and gain root access to a device. This app would require no special permissions to take advantage of the vulnerabilities, which means they would not make users suspicious."

In addition to Check Point's blog, Defcon also has a succinct summary of the presentation by Adam Donenfeld, the senior security researcher at Check Point.

"Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe," it claims.

"With this in mind, we decided to examine Qualcomm's code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems."

We have asked Qualcomm for comment and, according to other reports, it has fixed the issues. However, the haphazard patching and updating of Android operating systems means that it is unlikely that most existing end users - unless directly supported on a regular basis by manufacturers, such as BlackBerry - will be updated.