Site icon Check Point Blog

Life After QuadRooter: Measuring The Impact

Following Check Point’s disclosure of QuadRooter at Black Hat USA on August 7, the free QuadRooter scanner app was downloaded over half a million times. The results of the scans Check Point collected show that almost two thirds of scanned devices were affected. These reports also offer a unique opportunity to analyze a large sample of in-use devices to see how the Android community is affected by and responds to new vulnerabilities.

Learn the technical details of QuadRooter: Download our report today.

Methodology

The scanner app was designed to detect QuadRooter vulnerabilities in different ways. It used code analysis of potential exploit techniques to detect CVE-2016-2504 and CVE-2016-2059 accurately without any effect on the user’s device. CVE-2016-2504 was patched by Google in the August 2016 security update, and for CVE-2016-2059 Android now uses a SELinux rule to block exploitable code paths.

The only way to test if a device was vulnerable to CVE-2016-2503 and CVE-2016-5340 was to execute a partial exploit, which could have caused a device to crash and reboot. Instead, the scanner app queried the device for the most recently installed Android security update. CVE-2016-2503 was patched in the July 2016 security update and CVE-2016-5340 will be patched in the September 2016 security update.

Some manufacturers also made security patches available through out-of-band updates ahead of monthly Android security updates. BlackBerry was the first manufacturer to announce on August 15 that it had patched QuadRooter vulnerabilities affecting the BlackBerry Priv and DTEK50.

 Protect Your Enterprise   |   Scan Your Personal Device

Data collection

Between August 7 and August 10, Check Point received nearly 500,000 anonymous device scan reports. This sample excludes any out-of-band security updates installed on devices that could have affected the accuracy of any analysis.

After opening the scanner app for the first time and agreeing to submit anonymous results, the app scanned the device and sent a report of the results to Check Point. These reports included the device make and model, the version of Android installed on the device, the date of the latest installed Android security update, and indicators for the four vulnerabilities. Subsequent device scans did not generate additional reports.

Results

Almost two-thirds (63%) of the devices scanned were affected by at least one QuadRooter vulnerability. This correlates with Check Point’s initial assessment that QuadRooter affected at least 900 million out of approximately 1.4 billion Android devices (64%).

The analysis of Android user’s update habits was particularly grim. The vast majority of users did not have the latest Android security patch installed, leaving them vulnerable.

The number of users affected by vulnerabilities like QuadRooter highlights just how critical it is to install the latest security updates right away. However, these updates can take time to develop and deploy. For QuadRooter, users were actually exposed for quite some time.

It’s clear Android fragmentation can cause vulnerabilities to remain unpatched for weeks or even months. During these months, even devices with the latest security update installed can remain exposed. All four QuadRooter vulnerabilities were reported between February and April, but Android updates were made available to users only between June and September.

Recommendations

Check Point continues to recommend organizations encourage employees to follow these best practices to help keep Android devices safe from attacks:

For users who use their personal Android devices for work purposes, Check Point also recommends the following considerations:

Learn the technical details of QuadRooter: Download our report today.

Exit mobile version