Vulnerability Exposes 900M Android Devices—and Fixing Them Won’t Be Easy

From Wired:

The latest Android vulnerability to fret about isn’t limited to any particular device, or any specific firmware version. That’s because it doesn’t start with Android at all, but with Qualcomm, the company that provides internal components for hardware manufacturers. Lots of them. In this case, 900 million Android smartphones with Qualcomm inside are at risk, and fixing them will be no easy task.

As security research firm Check Point detailed this week, the vulnerability in question is actually a set of four issues, collectively called QuadRooter, and affects Qualcomm chipsets from manufacturers ranging from HTC to LG to OnePlus to Google, which contracts with other makers for its own Nexus devices. It’s serious; compromised devices would give bad actors root access, meaning they could collect any data stored on the phone, control the camera and microphone, and track its GPS location. It’s like giving someone the keys to your house, then holding the door open for them while they make off with the jewels.

Smartphones and tablets often experience vulnerabilities like this, regardless of the operating system. When it happens on iOS, though, Apple’s generally able to address the issue quickly because it so tightly controls both the hardware and software that comprise its ecosystem. On Android, the fixes are rarely so easy.

“Android security updates are really hard,” says Jeff Zacuto, a member of Check Point’s Mobile Research team. “The Android ecosystem is so fragmented. There are a lot of different versions and variants of Android in the marketplace, because each individual device has its own particular nuances.”

That’s not a new problem; even at the most basic level, only 15 percent of Android devices have updated to Android 6.0 Marshmallow, which Google released last October. Nearly a third are still on Android 4.4 KitKat, which by now is nearly …

Continue Reading