In mobile devices software vulnerabilities are more likely reported more often than not. a recent report found that a quarter of mobile apps contain “at least one” high-risk security flaw. it’s rare that one will affect many devices. Yet a new bug, dubbed “Quadrooter,” that resides within the firmware of a Qualcomm chip contained in more than 900 million devices was discovered.
It is stated that the new vulnerability, in skilled hands gain complete control of a smartphone or tablet to shady programmers. It could allow a malicious app to bypass Android’s built-in security measures and grant itself administrative privileges, a level of access that entails the ability to collect “sensitive personal and enterprise data.”
There hasn’t been any observations as of yet of any exploits “in the wild,” but there could possibly be some reported in the upcoming months.
Here is a published preliminary list of affected devices:
"The flaw requires a would-be victim to install a malicious app — infected code posing as a legitimate update, for instance, or a pirated version of a paid application." Pssibly apps distributed through Google’s Play Store, which Google regularly scans for malware. Apps infected with Quadrooter’s delivery mechanism would have to be installed manually by toggling the “Unknown Applications” setting in Android’s settings menu. Which we all know is sometimes dangerous when acquiring apps from another outside source.
It would also require that users disable Android’s “Verify Apps” feature, a malware filter that scans for known vulnerabilities in apps.
Android Central notes that the protection has been enabled by default in all Android versions since 4.2 Jelly Bean in 2012, and that it’s frequently updated with new virus definitions via Google Play Services, the Android framework responsible for delivering Google app updates. Google also conducts security scans of Android phones about “once per week” by default and can, in some cases, uninstall infected applications from handsets remotely.
A Qualcomm spokesperson mentioned that Qualcomm issued patches to “customers, partners, and the open source community” between April and the end of July. Google, for its part, said that “most” of the fixes had been rolled into Android’s monthly security update — the collection of firmware fixes that the company makes available to its Android partners.
There should be an issued fourth and final fix in September, the month of its next security update. This doesn’t mean Android phone makers won’t implement a fix sooner.
The nature of the exploit highlights the difficulty in ensuring that Android devices, oversight of which typically involves at least a handful of parties, remain inoculated against new threats. “Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end user must then be sure to install these updates to protect their devices and data.”as stated by Google.
It’s a problem escalated when some refuse to play ball. Lenovo caused a domino effect implying in a recent statement that the Moto Z, its new flagship phone in the U.S., wouldn’t be receiving monthly security patches. The company has since clarified its stance, but the issue of infrequent, incomplete, or otherwise haphazard security updates has prompted activity at the federal level.
The Federal Trade Commission and the Federal Communications Commission are compiling a report, due out later this year, about the decision process involved in “[patching] a vulnerability on a particular mobile device.”
This follows the discovery of two major Android vulnerabilities in the past year, Stagefright and Fake ID. Stagefright, a fix for which is scheduled for September, tapped into bugged code within Android’s multimedia playback and allowed apps to gain administrative access. The other Fake ID, let malicious apps assume the identity of legitimate software. A patch was issued in late July.