Android could be facing another Armageddon, just as we saw with the “Stagefright” vulnerability last summer (see “Android’s Armageddon”). But while that “Mother of all Android Vulnerabilities” targeted Android’s Multimedia Messaging Service, this time the driver for Qualcomm’s LTE chipset is in the firing line… And as before, while a fix for this vulnerability has been quickly made available, the big problem has been getting this fix to your Android device: mobile phone manufacturers and providers are incredibly slow at passing it along…
What can you do to get this fix? Basically, there's nothing you can do but wait. For certain smartphone models (e.g. HTC One M9 and HTC 10; LG G4, G5, and V10; Samsung Galaxy S7 and S7 Edge; and others), you are completely exposed. This four-fold vulnerability, dubbed “QuadRooter”, in the driver for the LTE mobile communication chipset of Android smartphones can be exploited by just one malicious app… Once installed, it becomes “root”, the master and commander-in-chief of that smartphone. Luckily, so far, no public exploitation of that vulnerability has been reported! Potential defences? Usually we would recommend applying the corresponding fix made by Google. However, this requires your preferred smartphone manufacturer to adapt that patch to your hardware. And, as experience has shown, this can take a while or might never happen. Alternatively, you can try to re-compile your Android device’s operating system yourself – but this is an approach recommended only for experts.
So, interesting times lie ahead. Not only for Androids but also for many other devices. Vulnerability disclosure cycles are getting faster and faster, and patching, i.e. fixing those vulnerabilities, must be done more promptly. With a world full of smartphones, the Internet-of-Things, inter-connected fridges and cars (see the article “Our life in symbiosis”), and SmartMeters, a new patching paradigm is needed… Today, our patching methods are too slow and inflexible (see the article “Agility for computers”). Android’s Armageddon is just another example.
P.S.: If you believe that Apple’s iOS is better… Er, no, as the recent “Pegasus” exploit showed. However, at least Apple controls the update chain, so security fixes are always rolled out quickly (for iOS versions 9 and above).
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.