As the name implies, QuadRooter is a collection of four exploits in Qualcomm's popular graphics and media chipset, which is in more than 900 million mobile devices globally. When used in combination with malware, the exploit gives an attacker root access, i.e., the "keys to the kingdom." All data, services, and hardware on the device are free to take or control – want to listen to phone conversations, read someone’s mail, track a device via GPS, or wipe an unsuspecting user's phone? All possible with QuadRooter.

What makes QuadRooter so interesting and challenging is that it is targeted specifically to Qualcomm’s chipset. It is an Android OS-level bug that takes advantage of vulnerabilities in Qualcomm-designed hardware components and kernel drivers. Unlike Apple, which closely constrains both hardware and software elements for iOS devices, manufacturers of Android devices install chipset drivers independently to interface with the unique hardware and software applications in each. To further compound the issue, there are many different versions of the Android OS – because it is open-source, any manufacturer can create a unique variant of Android for their particular device. This is going to make the fix a longer process as each vendor is going to have to generate a "patch" for every version of every affected device.

This "compound vulnerability" comprises 4 exploits in Qualcomm's code:

  • CVE-2016-2059 – IPC Router kernel module used in the specific Qualcomm chipset can bind to any port and moves it from the client port list to a more privileged control port list. Attackers can exploit this behavior to gain privileged access or perform a denial of service on the device.
  • CVE-2016-2503 and CVE-2016-2504 – Bugs in the Qualcomm GPU driver could allow a local malicious application to execute arbitrary code within the context of the kernel that could allow permanent device compromise.
  • CVE-2016-5340 – A bug in the Qualcomm Graphics Module allows invalid access to the ashmem area in cases where someone deliberately set the dentry name to /ashmem.

The QuadRooter saga illustrates the continued challenges of securing mobile devices, especially Android devices. 

QuadRooter is one of the many Android security issues that requires users to manually install an app – that means going into the Security settings and toggling the "Unknown Sources" checkbox to allow the app to run. If a user doesn't do this (or does it without knowing the ramifications), they remain vulnerable. And history suggests that malware creators will soon release code that exploits QuadRooter, most likely on non-Google Android devices - Google tends to react quickly to vulnerabilities whereas other device manufacturers that base their devices on Android are less responsive. With less than 20% of users running the latest Android OS, there are ample targets, and there will be for some time to come.

Personally I feel most manufacturers have done their bit, but could have been quicker to the fix. The issue was first reported in April, and since one patch is yet to be released (scheduled for September,) I’d say there is still room for improvement. Qualcomm has also issued patches of its own to the manufacturers (outside of the patches that Google provides) -- that is awesome and nearly unprecedented. Qualcomm should be lauded for such security alacrity.

To determine if QuadRooter is being run in any of your applications, you can download Check Point's QuadRooter scanner app from the Play Store. Google has confirmed that Verify Apps can detect and block apps using QuadRooter vulnerabilities and for ongoing security protection, be sure to disable "Unknown Sources" in the phone settings.  Consumers should also update their devices to the latest Android OS (and hope that the device manufacturer and carrier have the issue fixed in their latest release!) If your device does not use any of the Qualcomm chipsets you are safe against these vulnerabilities, for example, if you have a device like Galaxy S6, S7 Edge or Note 5, it uses Samsung's Exynos processor, which is not vulnerable to QuadRooter. 

Get a monthly digest of our blog posts