- Jan 24, 2011
- 9,378
A set of four vulnerabilities in Qualcomm chipsets allow an attacker to gain root-level access on Android devices, which, according to the latest statistics, translates to over 900 million affected tablets and smartphones.
The four vulnerabilities have been disclosed today at the DEF CON 24 security conference in Las Vegas by a team of Check Point researchers.
The four security flaws are CVE-2016-2503 (found in Qualcomm's GPU driver, fixed in Google's Android Security Bulletin for July 2016), CVE-2016-2504 (Qualcomm GPU driver, fixed in Google's Android Security Bulletin for August 2016), CVE-2016-2059 (Qualcomm kernel module, fixed in April, patch status unknown), and CVE-2016-5340 (Qualcomm GPU driver, fixed, patch status unknown).
Simple exploitation routine
All four flaws can be exploited just by installing a rogue app on your device. To carry out the exploitation routine, the attacker's app does not need any special permissions, making it more likely that users would install the app without thinking anything malicious might be hiding inside.
Any of the four flaws will allow an attacker to escalate the app's permissions from user-level to root-level, granting them full access to any phone features.
This means an attacker can download and install malware and malicious apps without any interaction from the user, all done in the phone's background.
Read more: QuadRooter Android Security Bugs Affect over 900 Million Devices
The four vulnerabilities have been disclosed today at the DEF CON 24 security conference in Las Vegas by a team of Check Point researchers.
The four security flaws are CVE-2016-2503 (found in Qualcomm's GPU driver, fixed in Google's Android Security Bulletin for July 2016), CVE-2016-2504 (Qualcomm GPU driver, fixed in Google's Android Security Bulletin for August 2016), CVE-2016-2059 (Qualcomm kernel module, fixed in April, patch status unknown), and CVE-2016-5340 (Qualcomm GPU driver, fixed, patch status unknown).
Simple exploitation routine
All four flaws can be exploited just by installing a rogue app on your device. To carry out the exploitation routine, the attacker's app does not need any special permissions, making it more likely that users would install the app without thinking anything malicious might be hiding inside.
Any of the four flaws will allow an attacker to escalate the app's permissions from user-level to root-level, granting them full access to any phone features.
This means an attacker can download and install malware and malicious apps without any interaction from the user, all done in the phone's background.
Read more: QuadRooter Android Security Bugs Affect over 900 Million Devices
