'QuadRooter' flaw impacts 900 million Android devices: Should you be worried?

A high security alert for Android devices was issued this week. But do you really need to be worried?

Tech security firm Check Point Software reported an Android vulnerability dubbed “QuadRooter” that could affect over 900 million devices. The announcement was made as the DEF CON 24 security conference got under way in Las Vegas.

QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets, according to Check Point. Qualcomm is a leading supplier of 4G/LTE chipsets used in many of the world’s top-brand smartphones. “If any one of the four vulnerabilities is exploited, an attacker [can gain] root access to a device,” Check Point said in a release.

Devices named by Check Point as using the Qualcomm chipsets include the Google Nexus 5X, Nexus 6, Nexus 6P, HTC One, HTC M9, LG G4, LG G5, new Moto X, Sony Xperia Z Ultra, OnePlus 3, Samsung Galaxy S7, and Samsung S7 Edge.

Check Point said it contacted both Qualcomm and Google – the developer of the Android operating system – well before the announcement. “We’re in this space to do good. But if we reach a time limit for it to be fixed or not fixed, it is our [responsibility] to go out and tell the broader ecosystem,” Jason Stolarczyk, a Check Point spokesperson, told Foxnews.com, adding that it’s standard practice to give a “vendor” a 90-day notice.


As part of Check Point's disclosure, the team provided a proof-of-concept application with the “malware that was actually able to sneak past the security Google has ‘baked into’ their environment,” Stolarczyk said. “We tried it this morning and it still eluded the Google security,” he said on Wednesday.

Google was quick to respond. "Nexus devices already have protections for 3 of the 4 issues, a Google spokesperson told Foxnews.com in an email. “We are currently working on an update to Nexus devices to fix the remaining issue. Patches for all supported Nexus devices will be delivered over the air by early September,” Google said.

“Exploitation of these issues depends on users downloading and installing a malicious application. So far, we have seen no evidence of exploitation of these issues," Google said.

How serious is the threat?

One of the concerns is the “fragmented nature of Google's supply chain,” said Roger Kay, president of Endpoint Technologies Associates, a marketing intelligence firm. So even when a fix is issued, a wide variety of device manufactures have to follow through and make sure the device is secure.

The threat should be remedied but it's "not...out of control," Kay said.

Alex Gantman, vice president of engineering and product security lead at Qualcomm, spoke to FoxNews.com about the threat. “They would first have to get you to install their malicious app,” Gantman said in an interview, echoing Google's statement.

Gantman added that if you had a regular off-the-shelf Android device, you would get a series of warnings about installing an app that didn’t come from the Google Play Store. “And there are other protections that Android has in place that makes it more difficult for the user just to install an arbitrary app,” he said.

“[But] once that is on your device that malicious app would essentially be able to jailbreak your device,” he added.

“I don’t want to understate these vulnerabilities because we do take them seriously. But the attention that this [vulnerability] is deserving does seem exaggerated,” he said, adding that Qualcomm deals with these issues all the time through an ongoing process, "just like Microsoft puts out a monthly security bulletin."

Qualcomm was notified about the vulnerabilities between February and April. Patches were made available for all four vulnerabilities to customers, partners, and the open source community between April and July, a Qualcomm spokesperson told Foxnews.com.

The component maker typically requests the notifying organization to refrain from publicizing the threat until Qualcomm is able to “propagate” the fix to “partners.” For open-source Android components, “once we have the fix…a week or two later we will issue public security advisory," Gantman said.