Qualcomm-powered Android devices plagued by four rooting flaws

Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.

The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying them as high severity.

Unfortunately, that doesn’t mean that all devices are yet protected. Due to the fragmentation of the Android ecosystem, many devices run older Android versions and no longer receive firmware updates, or they receive the fixes with months-long delays.

Not even Google, which releases security patches for its Nexus line of Android phones and tablets on a monthly basis, has fixed all the flaws.

The vulnerabilities have collectively been dubbed QuadRooter because if exploited, they provide attackers with root privileges — the highest privileges on a Linux-based system like Android. Individually they’re tracked as CVE-2016-2059, CVE-2016-2503 and CVE-2016-2504 and CVE-2016-5340, and they’re located in various drivers that are provided by Qualcomm to device manufacturers.

Qualcomm released patches for these vulnerabilities to customers and partners between April and July, said Alex Gantman, vice president of engineering for the Qualcomm Product Security Initiative, in an emailed statement.

Meanwhile, Google has distributed only three of these patches so far through its monthly Android security bulletins for Nexus devices. The security updates released by Google are shared with phone manufacturers in advance and are also published to the Android Open Source Project (AOSP).

Devices running Android 6.0 (Marshmallow) with a patch level of Aug. 5 should be protected against the CVE-2016-2059, CVE-2016-2503, and CVE-2016-2504 flaws. Android devices running 4.4.4 (KitKat), 5.0.2 and 5.1.1 (Lollipop) that include the Aug. 5 patches should also have the CVE-2016-2503 and CVE-2016-2504 patches, but would be vulnerable to a version of the CVE-2016-2059 exploit that Google has flagged as low severity due to existing mitigations.

The fourth vulnerability, CVE-2016-5340, remains unpatched by Google, but device manufacturers could obtain the fix for it directly from Qualcomm’s Code Aurora open-source project.

“This flaw will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided,” a Google representative said via email. Exploiting any of these four vulnerabilities would involve users downloading malicious applications, Google said.

“Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these,” the representative added.

It’s true that exploiting the flaws can only be done through rogue applications and not directly through remote attack vectors like browsing, email or SMS, but those malicious applications would not require any privileges, according to Check Point.

Check Point’s researchers and Google have disagreed about the severity of CVE-2016-2059. While Qualcomm rated the flaw as high severity, Google rated it as low severity because it said it can be mitigated through SELinux.

SELinux is a kernel extension that makes exploitation of certain vulnerabilities much harder by enforcing access controls. The mechanism was used to enforce application sandbox boundaries starting with Android 4.3 (Jelly Bean).

Check Point doesn’t agree with Google’s assessment that SELinux mitigates this flaw. During Donenfeld’s talk at DEF CON, he showed how the CVE-2016-2059 exploit can switch SELinux from enforcing to permissive mode, effectively disabling its protection.

It’s hard to identify which devices are vulnerable because some manufacturers might wait for Google to release the missing patch before issuing their own firmware updates, while others might take it directly from Qualcomm. To help identify vulnerable devices, Check Point released a free application called QuadRooter Scanner on Google Play that allows users to check if their devices are affected by any of the four flaws.