NEWS ANALYSIS: Four flaws reported by Check Point aren’t the most serious Qualcomm Android flaws reported this year; users still haven’t updated for Google patches for flaws and likely never will.
Among the myriad security disclosures that came out of last week’s Black Hat and DefCon security events was one about a new Android flaw dubbed QuadRooter by security firm Check Point. While QuadRooter (a set of four security vulnerabilities affecting Android devices built using Qualcomm chipsets) is real, it likely doesn’t represent new vulnerabilities that are any more exploitable than the more than 100 other Qualcomm driver vulnerabilities that Google has patched in Android already in 2016.In June, the first important bunch of Qualcomm-related driver flaws were patched with updates for six critical flaws, though as it turns out, the June update was the tip of a very large iceberg. In Google’s July Android security update, 108 different Qualcomm driver-related flaws were patched. Despite patching those 108 flaws, Google still wasn’t done with Qualcomm vulnerabilities, patching an additional 55 vulnerabilities in its August update.So to recap, in the last 60 days alone, Google has patched 163 vulnerabilities related to Qualcomm components used in Android. Those vulnerabilities include distributed denial-of-service (DDoS) risks, privilege escalation flaws, remote code execution and information disclosure vulnerabilities.Given the number of vulnerabilities, why are the four QuadRooter flaws any more—or less—important or risky? The simple answer is they are not—they are just four flaws out of over 100 that are potentially putting a subset of Android users at risk today.
Why I say a subset, as opposed to the 900 million Android users out there, is because while Qualcomm chips are very popular in Android smartphones, they are not ubiquitous. Also, not every Android device that includes Qualcomm hardware has the same hardware and makes use of the same drivers.
I’m not minimizing the risk of QuadRooter. It’s a real risk, but it’s important to understand the whole story. Exploiting any of the flaws in the Qualcomm drivers would mean that some form of malicious application would need to get onto a user’s device first. Fortunately, the Google Play store typically filters out potentially malicious code to limit the risk. Android users of course can easily install apps from outside of Google Play, but Google has technology called Verify Apps that checks to make sure apps are safe after analyzing the entire ecosystem of Android developers.As such, for any one user (let alone 900 million) to be exploited by way of QuadRooter, that user would first have to have an Android device running with vulnerable Qualcomm components and then the user would have to install some form of malicious app that would be able to bypass multiple layers of Google’s security.
Good News and Bad News About Patches
That doesn’t mean QuadRooter, or the other 100-plus Qualcomm driver issues, doesn’t pose a risk, which is why Google has patches. The big issue with the Android patches, though, is that most Android users will never get them. Google’s Android Nexus users are supposed to get the patches, and Google also makes all of the patches available to its handset partners. That said, no Android handset vendor provides patches as fast as Google does for Nexus, so there is always a time lag, and many Android devices don’t get updated at all.However, even among Nexus users, there is a risk. In the spirit of full disclosure, I own a new Nexus 5X, which I specifically acquired so that I could get Android updates quickly. For the August update, which first became available on Aug. 5, my device still isn’t updated as of today (Aug. 10).While the Nexus 5X is an unlocked device, Google doesn’t make all Nexus updates available to everyone at the same time. There is often a lag, of up to a week in my experience so far in 2016, from the time an Android update is announced and the time an update is actually available for my Nexus 5X. Theoretically, that could mean that even a new Nexus device owner like me is at risk for as long as a week, even when patches are supposed to be available.While the Qualcomm-related flaws can represent a risk, they are not the only risks to Android users. Since August 2015, Google has released more than 300 patches for Android. But for users who haven’t updated their Android devices, either because they’re unaware or because patches are unavailable, any number of those 300 flaws is a potential path to exploitation.In the final analysis, Android flaws will no doubt continue to be found and there will be users at risk, but risk doesn’t always translate into 900 million users being exploited instantly.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.