Android chip vulnerability leaves millions of devices open to attack

LAS VEGAS — Security researchers have found a bug in Qualcomm chip sets and software drivers that would allow malicious actors to trigger privilege escalations and gain root access to an estimated 900 million Android devices.

In a report released Sunday, Israeli company Check Point Software Technologies disclosed that four vulnerabilities, dubbed Quadrooter, are found in the chip’s software drivers, which control communication between chipset components.

The four vulnerabilities can be found on the kernel level, impacting a device’s entire system. If exploited, a device could be rooted, allowing apps to run privileged commands not usually available on factory-configured devices. An attacker could change or remove system-level files, delete or add apps, as well as access other hardware on the device, including the touchscreen, camera, microphone, and other sensors.

The bug affects some of the most popular Android devices on the market, including:

• BlackBerry Priv

• Blackphone 1 and 2

• Google Nexus 5X, 6 and 6P

• HTC One M9 and HTC 10

• LG G4, G5, and V10

• New Moto X by Motorola

• One Plus One, 2 and 3

• Samsung Galaxy S7 and S7 Edge

• Sony Xperia Z Ultra

According to ABI Research, Qualcomm is the world’s leading designer of LTE chipsets. The San Diego-based telecom chipmaker owns a 65 percent share of the LTE modem baseband market.

Check Point alerted Qualcomm to the vulnerability in April 2016, with the chip company pushing out patches to original equipment manufacturers.

[Sign up for CyberScoop, our new newsletter focused on cybersecurity’s cutting edge.]

A Google spokesperson told us three of the four vulnerabilities have been eliminated with the company’s most recent security patch, with the fourth to be addressed in an upcoming update.

A BlackBerry spokesperson told FedScoop a fix for BlackBerry’s Android devices was integrated and tested in the company’s labs immediately after the report was received and will be pushed to customers as soon as possible.

However, the company says its ‘secure boot chain design mitigates the issue since any elevation of privilege to root level will be temporary and any exploit for this issue would be unable to gain a persistent root.’

‘BlackBerry is not aware of any exploits for this vulnerability in the wild and does not believe that any customers are currently at risk from this issue,’ a spokesperson said.

The report goes on to posit that flaws like Quadrooter are exacerbated by Android’s fragmented supply chain. Companies like Qualcomm create the chip sets, which then get passed on to device manufacturers for software implementation. Another layer of software is often added by the distributors and carriers before the phones are ultimately bought by users. This disjointed process makes pushing security updates a weeks- or months-long affair, with some users not able to patch high-risk flaws on older Android equipment.