Android users might be feeling a little exposed in the wake of a report by Check Point researchers that found almost a billion phones are at risk of malware attacks. The security research company found a set of vulnerabilities in Qualcomm’s chipsets that allow hackers to gain root-level access to a user’s phone and potentially hijack the device. Qualcomm chipsets come in almost every Android phone and Check Point estimates 900 million devices in use today could be affected.
There are four vulnerabilities total bundled under the name QuadRooter and they affect a range of popular devices, including Samsung’s Galaxy S7 to Motorola’s Moto X to Sony’s SNE and to Google’s line of Nexus phones. Even secure handsets like BlackBerry’s Priv and Blackphone are at risk.
Luckily, we haven’t heard of anyone taking advantage of the vulnerabilities yet. Plus, users are somewhat safeguarded by the fact that they would first have to download a malicious app outside of the official app store in order to precipitate an attack. It’s something US consumers tend not to do in the first place. It is more common in markets like China and India, however.
For its part, Qualcomm stated they have already made fixes in the software to address the problem. “We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July,” Qualcomm said in a statement.
But just because Qualcomm made the fix doesn’t mean you’ll see it on your phone immediately and this is where things get much more complicated. It’s now up to individual phone manufacturers to push software updates on their devices to deploy the patches.
Google has already pushed updates that address three of the four vulnerabilities and the last one will come in September. So Google’s Nexus devices are safe but the same can’t be said for Android devices from other manufacturers. Samsung has historically been pretty quick with releasing updates but it’s still left up to the manufacturer to implement their own timeline.
What the security risk exposed more than anything else is probably just how fragmented the Android supply chain looks.
“This situation highlights the inherent risks in the Android security model,” Check Point said in a statement. “Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data.”
For now, Android users are being reminded to practice proper hygiene to avoid risk of infection. Avoid installing unofficial apps off the official app market. Read the app permissions carefully and be wary of any apps asking for permission that don’t seem necessary. Install updates as soon as they’re available.
And if you’re curious to know how exposed your particular Android phone is, Check Point went so far as to create a free app that can detect if your phone has any of the four vulnerabilities they identified. Get it here and find out for yourself.