Four serious vulnerabilities have been discovered in the software drivers for Qualcomm chipsets used in hundred of millions of Android devices worldwide, allowing attackers full remote control.
Security firm Check Point Software estimated some 900 million Android devices worldwide that use the affected Qualcomm chipsets are vulnerable. Check Point Australia spokesperson Chris Rodridgues told iTnews around ten million devices locally are impacted.
The vulnerable chipsets are found in newer devices from major Android makers such as Samsung, HTC, Motorola, Sony and LG, as well as in security and privacy-oriented handsets like the Blackberry Priv and Silent Circle's fully encrypted Blackphone 1 and 2.
The Google-branded Nexus 5X, 6 and 6P also contain the Quadrooter flaws.
The four low-level flaws affect the drivers interprocess communication (IPC) router for Qualcomm components, the Android kernel anonymous shared memory (Ashmem) feature, and two graphics drivers.
Attackers can use the IPC vulnerability to cause memory corruption and take advantange of a file type confusion bug via a deprecated feature in Ashmem to create malicious files in the operating system's root directory.
Qualcomm's vulnerable drivers for the Android Kernel Graphics Support Layer (KGSL) - which communicate with userland binaries in the operating system to render graphics on device screens - contain a use-after-free memory vulnerability, due to a race condition that can be exploited by attackers.
Malicious apps that exploit the vulnerabilities need no special permissions, and users would not see any warnings that their devices are being attacked, Check Point said.
The vulnerabilities can be exploited to give full control over user devices and the confidential data stored within.
While the flaws have been disclosed to Qualcomm, which has issued patches, the vulnerable drivers are preinstalled on devices when they're manufactured and can only be fixed with updates from distributors or telco carriers - which are reliant on Qualcomm sending them patches.
This, Check Point said, highlights "inherent risks in the Android security model".
"Critical security updates must pass through the entire supply chain before they can be made available to end users," Check Point said in its technical report on Quadrooter [pdf - registration required].
"Once available, the end users must then be sure to install these updates to protect their devices and data."
The complexity means deploying security patches urgently to a large number of devices is very hard for Google's Android partners.
"Fixes require mind-bending coordination between suppliers, manufacturers, carriers and users before patches make it from the drawing board to installation," Check Point said.
"The fragmented world of Android leaves many users exposed to risk, even with out-of-the-box devices."
To mitigate against the flaws, Check Point suggested users download and apply Android updates as early as possible, and don't "root" or remove privilege restrictions on their devices unless the risks of doing so are fully understood.
Android users should also avoid side-loading apps from other sources than the official Google Play store, read permissions carefully when software is installed, and only use known, trusted wi-fi networks when travelling.
Check Point has also built an Android app that lets users scan their devices to see if they are vulnerable to Quadrooter, which is available for free on Google's Play store.