Security flaws on the Android platform are normal, it is something Google hates, but it is a fact of the OS. The four latest major security flaws have been discovered by Check Point, and affect some 900 million Android devices. This is a major vulnerability that even endangers some of the newest products on the platform.
Google insists that Android is as secure as any platform from the factory. The problem is OEM changes and the openness of the platform result in large-scale vulnerabilities. Security researcher Check Point says it has found four major issues which it calls the “QuadRooter”.
The issues allow hackers to gain access to a device at a root level. More specifically, a malicious app can be used to exploit the flaws and get in to the root, without needing permissions. The company points out that this gives complete access to a device. Unrestricted access means hackers can see all information, including photos, videos, addresses, passwords, and more.
What is particularly concerning is how widespread devices the QuadRooter vulnerability affects. Often major flaws hit older devices or a select user-base. However, 900 million devices represents a large portion of the Android market and the flaws are even evident on major name products.
Among the most notable handsets affected is the BlackBerry Priv. This was the Canadian company's first smartphone on the Android platform, it was specifically marketed for its security attributes. Check Point notes these huge-selling smartphones and tablets are affected:
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra
As well as being able to steal data, hackers could also use keyloggers to spy on device activity. This includes access to the camera and microphone without the user knowing.
A Slow Fix
The company notified Qualcomm of the issues in April. It is standard practice to give companies 90 days before making finding's public. In the interim period, Qualcomm says it has sent patches to OEMs.
However, the OEMs then have to implement the changes across hundreds of millions of devices. Check Point says this exposes a critical flaw in the general security model of Android, saying the platform has “inherent risks.”
“Suppliers, like chipset makers, provide the hardware and software modules needed to manufacture smartphones and tables.
Original equipment manufacturers (OEMs) combine these software modules, Android builds from Google, and their own customizations to create a unique Android build for a particular device.
Distributors resell the devices, often including their own customizations and apps – creating yet another unique Android build.
When patches are required, they must flow through this supply chain before making it onto an end user's device. That process often takes weeks or even months.”