Qualcomm Firmware Vulnerabilities Expose 900 Million Devices, Including Security-Focused Smartphones (Updated)

Security firm Check Point Software Technologies unveiled the second major set of Android vulnerabilities after “Stagefright” to affect the majority of Android devices.

The company uncovered a set of four vulnerabilities, called “QuadRooter,” which impacts all devices that are powered by Qualcomm chipsets. According to Check Point, any one of the four vulnerabilities allows an attacker to escalate privileges on Android devices and gain root access.

Check Point named some of the more popular devices affected by these vulnerabilities, including some devices that are more “security-focused:”

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

The security firm said that a malicious app could take advantage of these vulnerabilities without any special permissions being required. This means users wouldn’t suspect a thing when installing one of these malicious apps, as they would just consider them to be normal apps.

The vulnerabilities that are being exploited by these apps are inside of Qualcomm’s chipset firmware, so any device using Qualcomm chips is exposed to attacks. Qualcomm’s baseband firmware as well as the baseband firmware of other modem makers has long been considered a potential attack vector, even for security-focused devices such as the Blackphone, BlackBerry Priv, and even Google’s own Nexus smartphones. The baseband firmware has access to parts of the Android operating system that other components wouldn’t normally have, which means any vulnerability in the baseband firmware could give an attacker full control over the OS.

Check Point researchers remind us that Android’s biggest security flaw is in the way the operating system is patched. When a vulnerability is found, it has to go through the entire supply chain before it reaches users. The update has to first be delivered by Qualcomm to a manufacturer such as HTC. Then, it may have to go through carriers before it finally reaches users. However, for most devices, that update either doesn’t arrive in a timely manner, or it doesn't land at all.

The QuadRooter vulnerabilities can provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio. Google may soon be able to offer some protection through its “Verify Apps” anti-malware service, but until then Check Point has a QuadRooter Scanner app available to verify if your device is still vulnerable.

Updated, 8/09/2016, 10:45pm PT: Qualcomm contacted Tom's Hardware with an official statement about this issue, saying it has already released a patch, which has already been published on CodeAurora. However, it will now still be up to smartphone makers and carriers to deliver this update to users, which likely won't happen for the majority of the affected devices.

"Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI)," said Qualcomm in an official statement. 

"We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July. The patches were also posted on CodeAurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities," the company added.