Last Sunday at the Def Con hacking convention in Las Vegas, Nevada, the chief of mobile security at Check Point, Mr. Adam Donenfeld, detailed four new security vulnerabilities in Android that could potentially affect as many as 900 million devices worldwide. Collectively known as ‘Quadrooter’, the security holes could allow hackers to remotely gain root access on Android devices by getting unsuspecting users to install a malicious app that doesn’t even need any extra permissions at the time of installation. The vulnerability can only be exploited on devices powered by Qualcomm chips, but the San Diego-based chipmaker says that it has already released patches to fix the issue.
Google, on its part, has confirmed that it too, had fixed up at least three of the four vulnerabilities through its August security patch, and the fourth one will apparently be taken care of with the September security update. However, that still leaves millions of smartphones and tablets vulnerable to the threats, seeing as most devices currently in circulation are highly unlikely to ever see these security updates rolled out to them. However, even though the vulnerabilities may not ever be patched up in the huge majority of Android devices, Google is now claiming that most users should still be safe from Quadrooter under normal circumstances.
According to a statement released by the Mountain View, California-based tech giant, a security feature that is turned on by default as part of Google Play Services on devices running Android 4.2 Jelly Bean and higher versions of the OS, should prevent the malicious software from getting installed. ‘Verify Apps’, a feature incorporated into Android precisely for scenarios like these, scans APK files before their installation to see if they present any security threat to the device and its user. According to Google, it is this feature that, along with SafetyNet, will help “identify, block, and remove applications that exploit vulnerabilities like these”.
While earlier versions of Android had the ‘Verify Apps’ feature as well, it wasn’t turned on by default, so those devices continue to remain vulnerable to the threats posed by Quadrooter. As per earlier reports, though, Android 4.2 Jelly Bean and newer versions account for around 90% of all Android devices in circulation today, so in theory, that should mean only 10% of the so-called 900 million devices are actually in any immediate danger from Quadrooter if Google’s latest assertion is anything to go by. Either way, Android users would still hope that Google and its hardware partners would roll out next month’s security patches as soon as possible.