Cyber criminals could have access to hundreds of millions of Android smartphones' data. This conclusion was reached after Check Point uncovered four vulnerabilities.
The security firm released a report that showed Android devices running Qualcomm chipsets are at risk from a threat dubbed QuadRooter.
The affected devices include smartphones from BlackBerry, Blackphone, Google Nexus, HTC, LG, Motorola, OnePlus, Samsung and Sony Xperia.
An attacker would exploit the vulnerabilities by using a malicious app.
"Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing," says Adam Donenfeld, a member of the Check Point mobile research team.
The attacker would then potentially be able to control devices and could access capabilities such as GPS tracking, and recording video and audio.
The weaknesses were found in software drivers that come with Qualcomm chipsets.
"The drivers, controlling communication between chipset components, become incorporated into Android builds manufacturers develop for their devices," the company said in the report.
"Pre-installed on devices at the point of manufacturing, these vulnerable drivers can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers can only issue patches after receiving fixed driver packs from Qualcomm."
After discovering the faults, Check Point let the chip manufacturer know in April.
Qualcomm confirmed to the firm it would release patches to the device manufacturers. It is then up to the manufacturers to send updates to smartphones already sold, and for end-users to install them.
"This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end-users," says Donenfeld.
Check Point has developed a QuadRooter scanner app that is available free on Google Play. Running it will tell users if these vulnerabilities exist on their device.
Smartphone models which could be at risk include:
BlackBerry Priv
Blackphone 1 and Blackphone 2
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra
Hold up
While the vulnerabilities unearthed by Check Point are serious, Google has said it has an app pre-installed onto most affected devices that will automatically block a malicious app from being downloaded.
A Google spokesperson told Android Central: "Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block and remove applications that exploit vulnerabilities like these."
However, Android phones that do not come with Google Play Services installed will still be at risk.
The spokesperson also said Google has released a security patch that protects against three of the vulnerabilities and is working on a patch for the fourth.
Smartphone manufacturer BlackBerry has released a statement saying it is aware of QuadRooter and a fix for BlackBerry's Android devices has been tested and pushed to customers.
Risky behaviour
Much has been done by partners to mitigate the vulnerabilities and protect the device owners.
Those most at risk will be users who side-load Android apps, by downloading APK files, or those who have disabled Google's Verify Apps feature.
Side-loading apps is often used to acquire apps that are not available in certain regions, like the mobile game Pokémon Go and music app Spotify.
Check Point recommends downloading and installing the latest Android updates as soon as they become available, carefully examining app permissions before giving access, and avoiding app downloads from third-party sources.
Share