Uh-oh.
Check Point researchers have warned of a security hole in the microchips used in almost a billion Android devices that – if exploited – could give hackers complete access:
An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.
The set of vulnerabilities, dubbed QuadRooter, disclosed during a session at Def Con in Las Vegas, and are present in Qualcomm chipsets used by many of the most popular Android devices, including:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
If left unpatched, the QuadRooter vulnerabilities could give attackers complete control of compromised devices, allow malicious hackers to access sensitive information, and plant malware.
Check Point has released a free scanner app to help Android users know if their personal devices are at risk.
In addition Check Point offers sensible advice in its blog post for Android users to apply the latest OS security updates (if they are made available, of course…), to be wary of installing apps from unknown sources, and to double-check that the permissions requested by Android apps are appropriate.
I have a Samsung Note 3 (AT&T) running Lollipop that was given to me by my employer. It was purchased in the US. It's been over a year now and no updates have been pushed by them. Compare that to my Lenovo K3 Note that I purchased in India where I get regular updates. The difference is that in India, the mobile mobile phone market is not in the stranglehold of the carriers. In fact, buying an unlocked phone not tied to any carrier is the norm. I hope the US carriers a more responsive when it comes to releasing patches and updates.