Security researchers have discovered four serious Qualcomm chip flaws that hackers can take advantage of to gain full access to a person’s smartphone. The issues are yet to be patched on most devices, though Nexus handsets have received some security patches since the issues were first discovered.
Even so, some of the hottest Android devices available in stores, including the Galaxy S7, Galaxy S6, HTC One M9, HTC 10, Nexus 5X, Nexus 6P, and Nexus 6 are already vulnerable. Even the BlackBerry DTEK50, touted as the “most secure Android smartphone,” can be hacked using these flaws. In all, over 900 million Android phones could be hacked.
Dubbed Quadrooter and discovered by security researchers at Check Point, the vulnerabilities affect Qualcomm chips, and could let a third party take full control of a device, including access to the camera and microphone.
All hackers would have to do is to fool unsuspecting users into installing a malicious app. The application doesn’t even need to have any special permissions, which malware apps often need when infecting an Android device.
Qualcomm already issued patches for the four undisclosed flaws between April and the end of July, but because of the fragmented state of the Android ecosystem, delivering them to customers is a problem.
Google already issued three patches to its Nexus devices, but one of the vulnerabilities is still at large, and should be fixed only in September. Android device makers have also received the patches, and they may update some of their devices sooner rather than later.
“No-one at this point has a device that’s fully secure,” Check Point’s head of mobility product management Michael Shaulov told ZDNet. “That basically relates to the fact that there is some kind of issue of who fixes what between Qualcomm and Google.”
The firm’s lead mobile security researcher Adam Donnenfeld explained the issues at the Def Con security conference on Sunday. Check Point has a three-month period of private disclosure for newly discovered vulnerabilities, but Qualcomm and its partners failed to fix the issues before it expired.
That doesn’t mean your expensive Android device is now at risk of being infected by malware apps. The same rules still apply to avoid contracting any Android disease. Don’t download apps from shady places, and you should be just fine.