Four previously undisclosed security vulnerabilities found in Android phones and tablets that ship with Qualcomm chips could let a hacker take full control of an affected device.
Almost a billion Android devices are affected by the "high" risk privilege escalation vulnerabilities, dubbed "Quadrooter," say researchers at security firm Check Point.
Adam Donenfeld, the firm's lead mobile security researcher who found the flaws, explained the vulnerabilities in greater detail at the Def Con security conference on Sunday.
An attacker would have to trick a user into installing a malicious app, which unlike some malware wouldn't require any special permissions. (Most Android phones don't allow the installation of third-party apps outside of the Google Play app store, but attackers have slipped malicious apps through the security cracks before.)
If any of the flaws are successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
One patch to come
Check Point said most phone makers have devices that are vulnerable.
Google's Nexus 5X, Nexus 6, and Nexus 6P, HTC's One M9 and HTC 10, and Samsung's Galaxy S7 and S7 Edge are some of those named vulnerable to one or more of the flaws.
The recently-announced BlackBerry DTEK50, which the company touts as the "most secure Android smartphone", is also vulnerable to one of the flaws.
A Qualcomm spokesperson said the chipmaker has fixed all of the flaws, and had issued patches to customers, partners, and the open source community between April and the end of July. Most of those fixes have already gone into Android's monthly set of security patches, which Google issues early each month to its own-brand Nexus devices. Many other phone and tablet makers roll out those patches at the same time or in the following few days.
Three flaws were fixed in Google's latest set of monthly security updates, but one of the vulnerabilities is still outstanding, largely because the final patch wasn't issued in time.
Frustration at fragmentation
Google confirmed that the fourth flaw will be fixed in the upcoming September update, which is due out a little after the start of next month.
But because Qualcomm has already provided the code to partners, it's possible that phone makers could issue patches to the individual devices sooner.
Michael Shaulov, head of mobility product management at Check Point, told me on the phone two weeks ago of his frustration at the challenge faced with fixing the Quadrooter flaws.
"Qualcomm has a significant position in the development chain, in that a phone maker isn't taking the Android open-source code directly from Google, they're actually taking it from Qualcomm," he said.
Shaulow explained that this only complicates the patching process, which led to the delay in getting the final fix out in time to meet Check Point's three-month period of private disclosure.
"No-one at this point has a device that's fully secure," he said. "That basically relates to the fact that there is some kind of issue of who fixes what between Qualcomm and Google."
In other words, blame the complex, messy supply chain.
That's one of the reasons why two federal agencies have stepped in to question why phone security updates are often haphazard or few and far between. The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) both asked Apple, Google, and phone makers and carriers when it's decided "to patch a vulnerability on a particular mobile device" or not.
A report is due out later this year.