Android QuadRooter vulnerability: should you be worried?
Short answer: probably not
Details of a security flaw which could potentially compromise 900 million Android handsets recently came to light – but is it something you need to worry about? We've spoken to the major players in the mobile market to find out what's going on.
Research carried out by Check Point highlighted a potential risk to handsets running particular Qualcomm chipsets, after it found a set of vulnerabilities dubbed 'QuadRooter'.
This relates to four vulnerabilities which potentially allow attackers to gain access to your device using a malicious app, with high-end handsets including the HTC 10, LG G5, BlackBerry Priv, OnePlus 3 and the US variants of the Samsung Galaxy S7 and S7 Edge in the crosshairs.
It's worth noting that the likelihood of downloading a malicious app is low, unless you frequently opt to download from spurious 'unknown sources', and to date there have been no recorded attacks exploiting this flaw.
There are two very simple things you can do minimize the risk of falling victim to a QuadRooter hack:
- Keep your smartphone updated with the latest software
- Only download apps from trusted sources (e.g. the Google Play Store)
What's Qualcomm doing?
- Fix status: patches already distributed
While details of QuadRooter have only recently been brought to public attention, Check Point alerted Qualcomm to the vulnerability at the start of the year, and the chipset manufacturer has already developed a patch.
A Qualcomm spokesperson said: "We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
"The patches were also posted on CodeAurora. QTI continues to work proactively, both internally as well as with security researchers, to identify and address potential security vulnerabilities."
That means the fix now lies in the hands of the people who make our phones, control our networks and of course, Google – the brains behind the Android platform. We've contacted a number of the major players to find out when you can expect the fix to land on your phone, and we'll update this article as we get responses.
- Key handsets at risk: Nexus 5X, Nexus 6, Nexus 6P
- Fix status: three out of four vulnerabilities covered in latest patch
There's good news from Google, which has moved to fix the issue at its root, with a spokesperson telling us: "Android devices with our most recent security patch level are already protected against three of these four vulnerabilities.
"The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided."
Google was also quick to highlight that Android already has safeguards in place against potential attacks like this. "Exploitation of these issues depends on users also downloading and installing a malicious application," the spokesperson added. "Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these."
BlackBerry
- Key handset at risk: BlackBerry Priv
- Fix status: Fixed!
Update: BlackBerry claims to be the first major manufacturer to patch the QuadRooter vulnerabilities, writing: "Three of the four vulnerabilities have already been fixed on PRIV devices with the August Marshmallow patch and on all DTEK50 devices. In addition, the secure boot chain present in all BlackBerry devices naturally mitigates the remaining issue.
"We're not aware of any exploits for this vulnerability in the wild and we don't think any customers are currently at risk from this issue."
Sony
- Key handset at risk: Xperia Z Ultra
- Fix status: working to make patches available
Meanwhile Sony is working on getting patches ready for its fleet of Qualcomm-powered smartphones, with a spokesperson telling TechRadar: "Sony Mobile takes the security and privacy of customer data very seriously.
"We are aware of the 'QuadRooter' vulnerability, and are working to make the security patches available within normal and regular software maintenance, both directly to open-market devices and via our carrier partners, so timings can vary by region and/or operator.
"Users can take steps to protect themselves by only downloading trusted applications from reputable application stores."
Motorola
- Key handset at risk: Moto X
- Fix status: can already be avoided
There's good news from Motorola, with the Lenovo-owned firm providing a solution which all Android users can take advantage of.
A spokesperson told us "Recently a potential security vulnerability, Quadrooter was discovered in certain Android devices. This potential vulnerability can only be exploited if a user disables the built in Android security measure and downloads a malicious application.
"For more information on how to ensure this is disabled, this link is helpful for consumers."
HTC
All we have so far from the Taiwanese firm is a short, sweet statement from a spokesperson saying "HTC takes customer security very seriously. We are aware of these reports and are investigating them."
We're hoping for more information from HTC very soon.
Samsung
- Key handsets at risk: Galaxy S7, Galaxy S7 Edge (US variants)
- Fix status: unknown
We're waiting for Samsung to get back to us with a comment on the QuadRooter vulnerability.
LG
We're waiting for LG to get back to us with a comment on the QuadRooter vulnerability.
OnePlus
- Key handsets at risk: OnePlus 3, OnePlus 2, OnePlus One
- Fix status: patches included in next OTA
A OnePlus spokesperson told us: "Security is a top priority for OnePlus. The relevant security patches will be included in the next OTAs (Over The Air updates) for all OnePlus devices."
John joined TechRadar over a decade ago as Staff Writer for Phones, and over the years has built up a vast knowledge of the tech industry. He's interviewed CEOs from some of the world's biggest tech firms, visited their HQs and has appeared on live TV and radio, including Sky News, BBC News, BBC World News, Al Jazeera, LBC and BBC Radio 4. Originally specializing in phones, tablets and wearables, John is now TechRadar's resident automotive expert, reviewing the latest and greatest EVs and PHEVs on the market. John also looks after the day-to-day running of the site.