QuadRooter: The Android Armageddon That Didn’t Come

A little over a week ago Check Point, a security software firm, announced an Android vulnerability that could potentially affect 900 million devices worldwide and I am sure you have seen a headline with 900 million and Android in it somewhere.

The company gave this threat a catchy name “QuadRooter”. Here is how Check Point describes the threat

What is QuadRooter?

QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.

Reading the headlines after the announcement gave you the feeling that 900 million Android users were in danger of being assimilated by some evil force, and their phones would potentially turn against them. Funny that till now there are no reported cases of any phones being hijacked through  Quadrooter, but do not worry the company that found the problem just happens to have a solution for it too.

An article on Androidcentral sums up the situation quite well

  • Catchy marketing name? Check.

  • Big scary number of “vulnerable” devices? Check.

  • Free detection app peddled by security company with a product to sell? Check.

  • No evidence of use in the wild? Check.

  • Press at large ignoring the Play Store and Verify Apps as a roadblock against app-based exploits? Check.

It’s the same dance we do every year around security conference time. In 2014 it was Fake ID. In 2015, it was Stagefright. Unfortunately, understanding of Android security issues in the media at large has remained woeful, and that means figures like the “900 million” affected bounce around the echo chamber without context.

You would have to do a lot of foolish things and ignore a lot of built in warning mechanisms for Quadroot related malware to affect your phone.

It seems that a lot of security companies have found their role models in politicians, fear mongering seems to be good for business.

Operating systems are vulnerable, there is no such thing as absolute safety but at the end of the day common sense is your best advisor.