New security vulnerability puts 900 million Android devices at risk, researchers warn

Security firm Check Point has identified vulnerabilities affecting 900 million smartphones and tablets that use chipsets from component maker Qualcomm.

Check Point disclosed the vulnerabilities Sunday at the DEF CON 24 hacking conference in Las Vegas. The four vulnerabilities, dubbed “QuadRooter” by Check Point, affect Android devices using chipsets from component maker Qualcomm. Chipsets are collections of components or circuits that handle data flow within a device.

If any one of the vulnerabilities is exploited, an attacker could gain access to the device, explained Check Point, in a blog post. “Any Android device using these chipsets is at risk,” it added.

An attack could exploit the vulnerabilities in the chipsets’ software drivers using a malicious app. “Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier,” Check Point said.


Check Point says the situation highlights the inherent security risks in Google's Android operating system. “Critical security updates must pass through the entire supply chain before they can be made available to end users,” it said. “Once available, the end users must then be sure to install these updates to protect their devices and data.”

A spokesman for Check Point told there is no evidence that QuadRooter has been used in a cyberattack. However, only three of the four ‘critical’ QuadRooter patches have been fixed, he added.

“We appreciate Check Point's research as it helps improve the safety of the broader mobile ecosystem," a Google spokesman told, via email. "Android devices with our most recent security patch level are already protected against three of these four vulnerabilities."

The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, Google added, noting that the company's Android partners can take action sooner by referencing a "public patch" provided by Qualcomm.

Qualcomm told that it was notified about the vulnerabilities between February and April  2016, and made patches for all four vulnerabilities available between April and July.

Android devices containing the vulnerable chipset technology include the BlackBerry Priv, Google’s Nexus 5X, Nexus 6 and Nexus 6P and Samsung’s Galaxy S7 and S7 Edge, according to CheckPoint.

"BlackBerry is aware of the Quadrooter flaws and the vulnerabilities that affects the majority of Android devices," said BlackBerry, in a statement emailed to "A fix for BlackBerry’s Android devices was integrated and tested in our labs immediately after the report was received and we will expedite it to customers as soon as possible."

The phone maker said that it is not aware of any exploits for the vulnerability "in the wild" and does not believe that any customers are currently at risk.

Samsung has not yet responded to a request for comment on this story from

Check Point is offering a free QuadRooter scanner app on Google Play that can test devices for the vulnerability.

This is not the first time that Android has been thrust into the security spotlight. Last year the Stagefright flaw in Android’s multimedia processing sparked concern and prompted fixes from Google, carriers and smartphone makers.

Manufacturers are ramping up their efforts around mobile device security. Last week, for example, Samsung unveiled its Galaxy Note7 phone, which offers iris-scanning technology to unlock the Android device.

Follow James Rogers on Twitter @jamesjrogers