Hackers May Exploit Qualcomm Chip in Android Devices, Report Says

Share This Article:

By Ken Stone

An Internet security company is sounding the alarm on a Qualcomm-made chip used in 900 million Android devices, saying hackers may be able to watch photos or video and steal keystrokes.

Support Times of San Diego's growth
with a small monthly contribution

Check Point report on QuadRooter flaw in Qualcomm chips. (PDF)

San Carlos-based Check Point on Monday disclosed details in a session at the hacking conference DEF CON 24 in Las Vegas.

In a blog post by Adam Donenfeld, Check Point says an attack on four QuadRooter flaws “can trigger privilege escalations for the purpose of gaining root access to a device.”

“An attacker can exploit these vulnerabilities using a malicious app,” Donenfeld wrote Sunday. “Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.”

QuadRooter bugs can give attackers “complete control of devices and unrestricted access to sensitive personal and enterprise data on them,” Donenfeld said. “Access could also provide an attacker with capabilities such as keylogging, GPS tracking and recording video and audio.”

Qualcomm didn’t immediately respond to a request for comment on this issue being discussed worldwide. The company’s Twitter feed doesn’t address the bug either.

Donenfeld said the issue highlights the inherent risks in the Android security model.

“Critical security updates must pass through the entire supply chain before they can be made available to end users,” he said. “Once available, the end users must then be sure to install these updates to protect their devices and data.”

Check Point released a free QuadRooter scanner app on Google Play, “which can tell you if these vulnerabilities exist on your device.”

The [London] Telegraph and other European outlets have been reporting on this flaw.

They list these affected handsets:

  • Samsung Galaxy S7 and S7 Edge
  • Sony Xperia Z Ultra
  • Google Nexus 5X, 6 and 6P
  • HTC One M9 and HTC 10
  • LG G4, G5 and V10
  • Motorola Moto X
  • OnePlus One, 2 and 3
  • BlackBerry Priv
  • Blackphone 1 & 2

According to Android Today, Qualcomm was notified of the vulnerabilities in April.

“The chipmaker says that all the bugs were fixed at its end and patches were handed over to customers. While fix for three vulnerabilities have already made it to recent Android monthly security updates released by Google, one is still outstanding – it’ll be be included in the September update,” said Android Today.

But Android Central said chances are low that users are vulnerable.

“You could conceivably go to Security settings, enable Unknown Sources, then ignore the full-screen warning that you’re about to install malware. But at that point, to a large extent, it’s on you,” said Android Central.

“Android will identify any QuadRooter-harboring app as harmful and show a big scary warning screen before letting you get anywhere near installing it.”

Investors hardly blinked. Qualcomm shares closed Monday at $61.58, a dip of 42 cents, or .68 percent.

Follow Us: