Researchers have detailed four vulnerabilities in Android, caused by bugs in Qualcomm chipset drivers, that allow an attacker to get complete control of a vulnerable device.
Three of the vulnerabilities already have been patched in August’s Android security update, but the fourth one has not been fixed yet. Researchers at Check Point discovered the vulnerabilities and disclosed the details Sunday at the DEF CON conference, saying that as many as 900 million Android devices may be vulnerable to attacks on the bugs. The vulnerabilities lie in the Qualcomm LTE chipsets that are included in a long list of Android devices, such as Google’s Nexus 5X, 6 and 6P phones, several Samsung and HTC phones, and the Blackphone 1 and 2 phones.
In order to exploit the flaws, an attacker would need to convince a victim to install a malicious app, which likely would need to come from a third-party app store or other source. Check Point has called the group of vulnerabilities QuadRooter, and said the patching process has been complicated by the Android ecosystem structure.
Most Android users won’t have the patches yet, and may not get them for some time.
“QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets. Any Android device built using these chipsets is at risk. The drivers, which control communication between chipset components, become incorporated into Android builds manufacturers develop for their devices,” the company said in a post explaining the flaws.
“Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.”
Android manufacturers and carriers play key roles in the patching process for their devices, and they control when users get patches for all of the non-Google devices. Google, which maintains the Android code base, sends patches to Nexus users as soon as the fixes are released each month.
“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data,” Check Point said.
So, although Google has released fixes for three of the four vulnerabilities that Check Point disclosed, most Android users won’t have the patches yet, and may not get them for some time.