Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Cellphones Blackberry Google Handhelds Security

900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw (cnet.com) 129

An anonymous Slashdot reader quotes a report from CNET: Four newly-discovered vulnerabilities found in Android phones and tablets that ship with a Qualcomm chip could allow an attacker to take complete control of an affected device. The set of vulnerabilities, dubbed "Quadrooter," affects over 900 million phone and tablets, according to Check Point researchers who discovered the flaws. An attacker would have to trick a user into installing a malicious app, which wouldn't require any special permissions. If successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
The flaw even affects several of Google's own Nexus devices, as well as the Samsung Galaxy S7 and S7 Edge, according to the article, as well as the Blackberry DTEK50, which the company describes as the "most secure Android smartphone." CNET adds that "A patch that will fix one of the flaws will not be widely released until September, a Google spokesperson confirmed."
This discussion has been archived. No new comments can be posted.

900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw

Comments Filter:
  • Eds, why not check the article and link directly to zdnet and not the 'sister' publication?

  • Rooted phone? (Score:5, Insightful)

    by Razed By TV ( 730353 ) on Sunday August 07, 2016 @09:14PM (#52662575)
    Does this mean I might get to root my otherwise unrootable phone?
  • Quad Rooter (Score:2, Funny)

    by Anonymous Coward

    That's what me and my mates called ur mum, she's pretty skilled taking 4 at a time.

  • by wbr1 ( 2538558 ) on Sunday August 07, 2016 @10:02PM (#52662657)
    It requires sideloading be turned on to get in. This is off by efault on any sane device. Yes it could get in through the play store, but since google now knows the exploit you can bet all apps are scanned.

    This is mostly fear mongering. Now if you could root my phone with an MMS or some other function that does not require me to turn of security features first, then I'll worry.

    I will worry about all the cheap chinese tabs and phones that come with sideloading (and malware/crapware) installed by default.

    • by xvan ( 2935999 )
      Anybody can comment on how strict are apple / google security processes to publish an app on their stores?
    • by Trogre ( 513942 )

      I take it you've never heard of f-droid. Only one of the biggest FOSS repositories for a single platform.

      And since it's not an official Google product, funnily enough, it requires sideloading.

      • by wbr1 ( 2538558 )
        Yeah I have, most people do not need it or use it. However, for those that do, the smart thing is to turn the setting off temporarily when loading an app, and be sure of what you are loading.

        A very small percentage use alternate app stores, so saying 900M devices are vulnerable is a bit hyperbolic.

  • by Anonymous Coward

    you're owned anyways.

    what's so special about this? people just hit 'yes' on all permissions on android anyways. am I missing something?

    • It's part of the advertising deal with MICROS~1, to only mention Android in relation to vulnerabilities else it's flash or banking trojan.
    • Seeing that the app doesn't need special permissions, tricking the user is the easy part
  • by pgn674 ( 995941 ) on Sunday August 07, 2016 @10:17PM (#52662687) Homepage
    Check Point has an app in the Google Play app store that scans your phone for the vulnerabilities: https://play.google.com/store/... [google.com]
    • There's no update, and even if there were it'll come when the providers push it out. With a phone, you just have to accept that if the thing is vulnerable, it is vulnerable. You can't really do anything as a user. Anything you can do is shit you should already be doing like installing apps only from trusted sourced and running a malware scanner.

      • you should already be doing like installing apps only from trusted sourced and running a malware scanner

        You don't need a third party malware scanner. Just turn on the built in Verify Apps.

  • The Blackphone 2 uses a Qualcomm Snapdragon chip. The maintainers (Silent Circle) released a patch a week ago that 'updates to the latest Qualcomm config files' but it's unclear if that fixes this specific vulnerability.

    • The Blackphone 2 uses a Qualcomm Snapdragon chip. The maintainers (Silent Circle) released a patch a week ago that 'updates to the latest Qualcomm config files' but it's unclear if that fixes this specific vulnerability.

      Nope, it doesn't. Still one out of four isn't bad :( (just vulnerable to: CVE-2016-5340) This will be a test of the promise to be the fastest at fixing/patching issues.....

  • An attacker would have to trick a user into installing a malicious app

    Stopped reading after that.
    Mundus vult decipi, ergo decipiatur.

  • "An attacker would have to trick a user into installing a malicious app"

    Is this what slashdot is reduced to, posting bogus pseudo technical quotes from a known Microsoft shill.
  • FOR THE LOVE OF GOD, EXPLOIT MY BOOTLOADER, MAKE HER VULNERABLE TO ATTACK! For my Verizon Samsung Galaxy S7 remains invulnerable to any attack outside simple root base exploits. Oh script kiddy gods, I BEG YOU (no sarcasm).
  • So that is what you get from switching away from QNX.

    • I also hear that MS-DOS has never been attacked on a smart phone.

      • by drolli ( 522659 )

        Well... technically any virus attacking MS-DOS but accidentally hitting a Nokia 9000 communicator could probably be counted under the category "MS-DOS" on a smartphone.....

  • by shione ( 666388 ) on Monday August 08, 2016 @01:29AM (#52663151) Journal

    If it doesn't trip knox then someone could retool the exploit to root the phones in a good way.

  • But hey, at least owners of these devices have a super easy path to root without need to flash any special image.
  • I think the only way you can possibly make any so-called 'smartphone' secure, is to have a hardware switch that puts the entire phone into 'read only' mode, so nothing new can be installed on it. They're like cheap swisscheese: more holes than cheese. I think I'll just keep sticking with cheap-ass $50 flip-phones. If something happens to it I can break it in half, toss it into the e-waste bin, and go get another one and nothing of value is lost. At least I don't become an unwilling participant in someones b

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...