900 Million Android Phones Have the QuadRooter Vulnerability. Yours Is Probably One of Them

Here’s what to do about it.

Share on
BY Minda Zetlin - 09 Aug 2016

PHOTO CREDIT: Getty Images

An estimated 900 million Android devices have four newly discovered vulnerabilities collectively dubbed QuadRooter. Any of these vulnerabilities could potentially be exploited to give miscreants complete access to everything in a phone.

The vulnerabilities were discovered months ago but announced to the world this week at the Def Con security conference in Las Vegas by security firm Check Point. They exist in phones built with chipsets from QualComm, including the latest Nexus phones, Samsung phones, Blackberry Priv, and the One Plus One (and 2 and 3) phones. This is just a short list of the newest phones with QualComm chipsets--many, many other phones on the market have them as well.

If you have an Android phone, here's what you need to know.

1. No need to panic

First of all, there's a big difference between a vulnerability--a design flaw that has the potential to be exploited--and an actual security breach. QuadRooter, so far, is in the former category. It's not a good thing, but so far as we know, no one has used it for nefarious purposes, at least not yet.

2. Check your settings

Google says its Google Play Store reviews apps before they are offered to the public to make sure that they are not set to exploit the QuadRooter vulnerabilities. So if you get your apps from the Google Play Store, you likely have nothing to worry about.

And, if your version of Android is Check your settings under "Security." By default, "Unknown Sources," which allows you to install apps other than from the Play Store should be disabled. Leave it that way, and you have nothing to worry about. You may also see a setting called "Verify Apps" which offers the option to "Scan device for security threats." Make sure this is on. (It is by default.)

The simplest way to avoid trouble is to only install apps from the Google Play Store, but there are many reasons you may want to install one from elsewhere. If so, make sure device scanning is on and needless to say, only install apps from trusted sources.

3. Keep up with updates

Google is now sending monthly security updates to Android devices and has used these updates to patch three of the four QuadRooter vulnerabilities so far, with the fourth expected to be patched in the next monthly update. For this and many other reasons, it's smart to keep up with these updates, so either set your phone to update automatically, or install updates as soon as you can when they're offered.

4. If your phone is truly ancient, consider an upgrade

Google says Verify Apps is present in all Android operating systems since 2012, which accounts for more than 99 percent of the phones out there. I'm not so sure--there are a lot of people out there with really outdated phones. The oldest phones are considered most vulnerable because they may have aged out of getting regular, automatically distributed updates.

If you have a phone that old, you may not be installing a lot of apps, and so QuadRooter likely isn't much of a worry. And I'll guess that you're not using your phone to run your business or do anything essential other than making calls and sending texts. But if I'm wrong and you are using it for sensitive data or other essential functions, consider getting a newer model.

5. There's an app that will tell you if you're vulnerable

Check Point is offering a free app called QuadRooter Scanner on the Google Play Store so that you can scan your phone and see if it has the vulnerabilities. Presumably, it scans your phone to see if it has the QualComm chipset. I'd be quick to recommend installing it if it didn't seem that most modern phones do have the vulnerabilities, but are protected by Verify Apps. Still, if you're curious, here it is.

6. Remember the source

One thing about QuadRooter is very typical: its existence was announced to the world by a security company. Like all security software makers, Check Point has an agenda here. It's to the company's advantage if people are worried about their mobile device's security. That agenda is crystal clear in Check Point's QuadRooter FAQ which contains this question:

How can I protect employee's devices from attacks using these vulnerabilities?

And this answer:

Without an advanced mobile threat detection and mitigation solution on the Android device, there is little chance a user would suspect any malicious behavior has taken place.

In other words: If you're smart, you'll buy our product right now.

It's unfortunate that there is no disinterested government or media party scanning the wilderness for cyber security threats. Until there is, smart users and business owners will have to evaluate warnings about things like QuadRooter on a case-by-case basis, and reach our own conclusions about how bad a threat really is and what we should do to respond to it.