QuadRooter vulnerability leaves 900 mn Qualcomm-powered Android phones at risk: Report

These vulnerabilities can be exploited with the use of a malicious app, without requiring special permissions to access these vulnerabilities, leaving the user suspicion free while installing the app.

The QuadRooter vulnerabilities are found in Qualcomm’s software drivers that come with its chipsets. This driver is incorporated into Android builds that manufacturers develop for their devices. These vulnerabilities are pre-installed on Qualcomm powered devices, and can only be fixed with a software patch from the carrier, who can only push it after receiving a patch from Qualcomm.

Unique vulnerabilities affect four modules of the Android system-

• IPC Router (inter-process communication)
• Ashmen (Android kernel anonymous shared memory feature)
• Kgsl (kernel graphics support layer)

• Kgsl_sync (kernel graphics support layer sync)

Qualcomm was intimated about these vulnerabilities by the team in April this year, allowing for a 90 day industry-standard policy to let the company address the problem, before disclosing the vulnerabilities to the public. Qualcomm after reviewing these vulnerabilities had classified each as high risk, and confirmed that it released patches to original equipment manufacturers (OEMs).

Qualcomm own 65 per cent of the LTE chipsets market in the world. These vulnerabilities affect an estimated 900 million devices running on Android, and covers manufactured smartphones from all major companies like HTC, Samsung, LG, Motorola, and more.

Making security updates and patches is a time and resource consuming process, which leaves users without protection while these patches are coded, tested and distributed. In a market device that does not support the latest Android version may not receive an important security update at all, leaving them permanently exposed until they move on to a new device.