QuadRooter - Defcon 24 - Public Release Of 4 Vulnerabilities Impacting 900 Million Android Phones and Tablets

New set of four critical vulnerabilities that can allow Remote Code Execution(RCE) and root access to over 900 Million Android devices..

Fresh of the press from Defcon 24 from security research from Checkpoint; Adam Donenfeld - New attack vectors against 65% of Android phones dubbed 'QuadRooter'

The attacks are made possible due to a vulnerable device driver for the Qualcomm processor and chipset that are present in 65% of android phones today. The 'High' risk vulnerabilities have been responsible disclosed to the Qualcomm team in April 2016; it has since been 90 day and now these vulnerabilities have been disclosed to the public!!

Theses attacks will begin to become more wide spread as the gates have been swung wide open for exploitation. The estimated 900 million affected device are from some of the biggest names in the industry; Even the security focused fully encrypted Blackphone 1 & 2 from Silent Circle's made the list of affected device.

Some OEM's with vulnerable devices

• Samsung
• Google
• HTC
• LG
• Sony
• Motorola

Some devices using vulnerable Qualcomm drivers

• BlackBerry Priv
• Blackphone 1 and 2
• Google Nexus 5X, 6 and 6P
• HTC One M9 and HTC 10
• LG G4, G5, and V10
• New Moto X by Motorola
• OnePlus One, 2 and 3
• Samsung Galaxy S7 and S7 Edge
• Sony Xperia Z Ultra

Basic details about the Attacks

CVE-2016-2059: Linux IPC router binding any port as a control port

A kernel module known as the IPC_Router has been found to be vulnerable; this module provides communication capabilities for various components, process and hardware drivers. Through a number of steps this module can be used to create a memory corruption that ultimately can be used to disable SELinux and get root user privledges.

CVE-2016-5340: Ashmem vulnerability

Ashmem is androids memory allocation subsystem that enable processes to share memory buffers. The flaw in the implantation come from the way that Ashmem checks file types which allows an attacked to use a feature call 'Obb' to create a malicious file named 'ashmem' on the root file system which tricks the Ashmem subsystem to into thinking it is a valid ashmem file and therefore mounting it.

CVE-2016-2503 and CVE-2106-2504 Use after free due to race conditions in KGSL

Qualcomm's vulnerable drivers for the Android Kernel Graphics Support Layer (KGSL) - which communicate with userland binaries in the operating system to render graphics on device screens - contain a use-after-free memory vulnerability, due to a race condition that can be exploited by attackers.

If you would like full technical details on how these attacks are preformed you can check out the whitepaper HERE

Software patch to the rescue.... eventually

The problem with Androids diverse landscape of phones and tablets mean even after a patch is created i can potentially take months to reach the end user; With the vulnerabilities needing to be patched by Qualcomm the chip manufacturer, rolled out to the Original Equipment Manufactures who produce the phones and tablet where it needs to be extensively tested on a wide range of devices on all different versions of the operating systems, then hand balled to the telco provider for further testing and refinement before being made available to the end user who still might hold of updating for another few weeks because they don't want to download the update and restart their phone etc... as you can see; it's a very complicated process that requires a lot of coordination between a lot of parties to deliver the end result.

A Quote from the Federal Communications Commission(FCC)

"Consumers may be left unprotected for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered."

Recommendation

Until the patch is release you will be vulnerable to these exploits although some common approaches to keeping your device safer are listed below

• Download and install the latest Android updates as soon as they become available. These include important security updates that help keep your device and data protected.
• Understand the risks of rooting your device – either intentionally or as a result of an attack.
• Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by downloading apps only from Google Play.
• Carefully read permission requests when installing apps. Be wary of apps that ask for unusual or unnecessary permissions or that use large amounts of data or battery life.
• Use known, trusted Wi-Fi networks. If traveling, use only networks you can verify are provided by a trustworthy source.
• Consider mobile security solutions that detect suspicious behavior on a device, including malware hiding in installed apps.

How to check if your device is vulnerable

It has only been two days since the exploits were released but given the gravity of the attacks might not be a bad idea to check your device an see if it is vulnerable, this will also be helpful once you receive a patch just to double check that the issue is resolved.

Checkpoint has released a free application available on the google play store for users to scan their devices and check if the are vulnerable - Find it HERE

Conclusion

With many of the people reading this post having bitcoin or cryptocurrency wallets on your Android devices the last thing you want is a attacker to have root level access to your device; cryptocurrency holder should be the most vigilant as we are holding real value on our devices that can be swept off in minutes with no recourse; as such we will be the target of these attacks more so than your every day users.

These vulnerabilities need an entry point onto your phone; the method of entry is via a malicious app download from 'a' play store or side loaded; i would suggest everyone be very cautious of the application we are downloading and installing. Especially if you are found to be vulnerable by the Checkpoint Scanner

Follow the recommendations outlined above; don't install non reputable apps even if they are from the play store and stay safe until the patches roll out.

Qualcomm has released their patch revision now we are just waiting on the OEM and Telcos to pass it down the line.