The latest Android vulnerability to fret about isn’t limited to any particular device, or any specific firmware version. That’s because it doesn’t start with Android at all, but with Qualcomm, the company that provides internal components for hardware manufacturers. Lots of them. In this case, 900 million Android smartphones with Qualcomm inside are at risk, and fixing them will be no easy task.
As security research firm Check Point detailed this week, the vulnerability in question is actually a set of four issues, collectively called QuadRooter, and affects Qualcomm chipsets from manufacturers ranging from HTC to LG to OnePlus to Google, which contracts with other makers for its own Nexus devices. It’s serious; compromised devices would give bad actors root access, meaning they could collect any data stored on the phone, control the camera and microphone, and track its GPS location. It’s like giving someone the keys to your house, then holding the door open for them while they make off with the jewels.
Smartphones and tablets often experience vulnerabilities like this, regardless of the operating system. When it happens on iOS, though, Apple’s generally able to address the issue quickly because it so tightly controls both the hardware and software that comprise its ecosystem. On Android, the fixes are rarely so easy.
“Android security updates are really hard,” says Jeff Zacuto, a member of Check Point’s Mobile Research team. “The Android ecosystem is so fragmented. There are a lot of different versions and variants of Android in the marketplace, because each individual device has its own particular nuances.”
That’s not a new problem; even at the most basic level, only 15 percent of Android devices have updated to Android 6.0 Marshmallow, which Google released last October. Nearly a third are still on Android 4.4 KitKat, which by now is nearly three years old. Those updates don’t just bring fun new features; they also bring valuable security enhancements.
The nature of QuadRooter exacerbates these issues, because it impacts Qualcomm drivers, which are installed not by Google but by individual manufacturers. Those manufacturers also generally produce several models of each smartphone they ship, tailoring them to carriers, who often install custom software of their own before the devices get to the consumer.
That’s why, even though Qualcomm released patches for all four vulnerabilities between April and July, the fixes are still slow to reach actual devices. Even Google’s Nexus devices, which are typically at the vanguard of security, have only addressed three of the four issues. The last will be included as part of a broader security update in the coming months.
As for the other hundreds of millions of impacted devices, it’s not clear how many have gone through the update process. “In order to get these security patches to the end user, they have to travel the whole length of the Android lifecycle,” says Zacuto. “That’s all the way from the supplier down to the end user, and you’ve got manufacturers in the mix, Google in the mix, and also the carriers.” Check Point has created a free app with which people can scan their devices to see if theirs is currently vulnerable (which also, for what it’s worth, doubles as marketing for Check Point).
“We appreciate Check Point's research as it helps improve the safety of the broader mobile ecosystem,” says a Google spokesperson. The company rated the four QuadRoot issues as “high” risk. The other options on its assessment scale are “moderate” and “critical,” making QuadRooter serious but not devastating.
That’s partly because falling victim to a QuadRoot attack requires downloading a malicious app. Zacuto says that while Google is generally very good at keeping malware out of the Google Play store, the practice of sideloading apps from untrusted sources could leave plenty of devices at risk, especially in regions outside of the US where the practice is more common.
Even if vigilant Android owners should be unscathed, QuadRoot is yet another reminder of how difficult it is to keep Android devices safe. With so many devices, and so many variants within those devices, and such belated updating on the part of users, problems like QuadRoot won’t just continue to appear. They’ll continue to stick around far longer than they reasonably should.
“The security model in the Android ecosystem is inherently flawed,” says Zacuto. And while Google has done terrific work securing its own devices, it’s got too far to go still making sure all of its partners can ensure our safety as well.
