It seems that a big new Android scare appears around this time every year, just in time for the summer security conferences. This time, it is Check Point who has publicized a set of four vulnerabilities they call Quadrooter. The question is whether this is truly as scary as it sounds, and how does it measure up to last year’s scare – Stagefright – announced right at the end of July 2015?
The short answer is NO, Quadrooter doesn’t measure up, but it shouldn’t be ignored either. Stagefright exploits are much more difficult for a hacker to execute (it took almost a year for one to show up in the wild), but can infect a device with zero action from the user. Quadrooter, on the other hand is far simpler to exploit, but requires users to download and install an app from a third-party app store. Quadrooter is also hardware dependent, so it does not affect all Android devices, as Stagefright does. On the other hand, a successful Quadrooter exploit has the potential to do more harm. Let’s take a closer look at the Quadrooter Android vulnerabilities to see what the real threat is, just how much risk Android users are exposed to, and how to protect yourself.
Quadrooter – four Qualcomm driver vulnerabilities
Earlier this year, researchers at Check Point decided to spend some time poking at Qualcomm drivers to see what security holes they could find. There is some sense in taking this approach since over 80% of all active Android devices have Qualcomm hardware, and we know hackers like large targets. After some effort, they found 4 distinct vulnerabilities that could enable a hacker to gain kernel privileges and disable SELinux, compromising several of the device’s protection mechanisms. TrustZone is not affected by these vulnerabilities. This could also allow users to “root” their devices. To accomplish this, an attacker must develop a successful exploit using one or more of these vulnerabilities and trick a victim into installing it as part of a malicious app.
Even the name Quadrooter sounds bad, and it certainly could be, but let’s take a practical look at these vulnerabilities. First, only Android devices with Qualcomm hardware are vulnerable. That is the vast majority of devices out there, but some devices, like Galaxy S6 and Note 5, use Samsung’s own Exynos processor and Shannon modem, and are not affected at all by this.
Next, >the only way to exploit these vulnerabilities is to install an actual app, which has two potential checks. First the user will need to have 3rd party apps enabled on their device, which allows apps to be installed from stores other than Google play. This setting has been off by default since 2012’s 4.2 Jelly Bean, but many users do enable this. Since these vulnerabilities were first brought to Google’s attention in April, it is unlikely that they are not scanning for it at this point, so the Google Play store should be safe. Second, if a user does manage to download Quadrooter malware, there is a chance Android’s “Verify Apps” feature will throw up a warning to the user, but a mobile threat defense solution would be more reliable and it recommended.
To complicate matters, Qualcomm independently claims they have distributed patches. This can be confusing since nobody actually gets driver patches except through vendor-issued updates. As 3 of the 4 vulnerabilities are addressed in the August Android security patch, only the next patch (in September) will eliminate the last vulnerability.
So how does this compare to Stagefright?
- Quadrooter is a local privilege escalation vulnerability, as opposed to Stagefright, which is a remote code execution one – where users can be infected by an MMS message or a website.
- Quadrooter allows an attacker to gain kernel access and disable Android security mechanisms and access all user data. This could allow an attacker to compromise the device in a way requiring a user to re-flash the OS.
- Quadrooter only applies to Qualcomm hardware – Stagefright is hardware independent.
- Quadrooter doesn’t seem to have appeared in the wild yet, but probably will show more quickly than Stagefright did.
The biggest difference between Quadrooter and Stagefright is that Stagefright does not require an app to be installed, making it more likely that cautious users may still become victims. With Quadrooter, employing safe app practices, like only installing apps from the Google Play store and paying attention to “Verify Apps” notices, may still keep you safe. A good mobile threat defense solution, like Skycure, is important to protect from both of these vulnerabilities, but for those who still install apps from 3rd party stores, it is even more important.
SEP Mobile protects against Quadrooter
SEP Mobile detects and proactively protects mobile devices from both Quadrooter and Stagefright exploits. The SEP Mobile solution uses a multi-layered approach that can both detect malicious applications that attempt to exploit this vulnerability as well as perform on-device integrity validations that can detect the actual exploitation attempt. As is always the case for OS vulnerabilities, a full remediation will only be available using a patch released by device manufacturers.