Following Check Point’s disclosure of QuadRooter at Black Hat USA on August 7, the free QuadRooter scanner app was downloaded over half a million times. The results of the scans Check Point collected show that almost two thirds of scanned devices were affected. These reports also offer a unique opportunity to analyze a large sample of in-use devices to see how the Android community is affected by and responds to new vulnerabilities.
Learn the technical details of QuadRooter: Download our report today.
Methodology
The scanner app was designed to detect QuadRooter vulnerabilities in different ways. It used code analysis of potential exploit techniques to detect CVE-2016-2504 and CVE-2016-2059 accurately without any effect on the user’s device. CVE-2016-2504 was patched by Google in the August 2016 security update, and for CVE-2016-2059 Android now uses a SELinux rule to block exploitable code paths.
The only way to test if a device was vulnerable to CVE-2016-2503 and CVE-2016-5340 was to execute a partial exploit, which could have caused a device to crash and reboot. Instead, the scanner app queried the device for the most recently installed Android security update. CVE-2016-2503 was patched in the July 2016 security update and CVE-2016-5340 will be patched in the September 2016 security update.
Some manufacturers also made security patches available through out-of-band updates ahead of monthly Android security updates. BlackBerry was the first manufacturer to announce on August 15 that it had patched QuadRooter vulnerabilities affecting the BlackBerry Priv and DTEK50.
Protect Your Enterprise | Scan Your Personal Device
Data collection
Between August 7 and August 10, Check Point received nearly 500,000 anonymous device scan reports. This sample excludes any out-of-band security updates installed on devices that could have affected the accuracy of any analysis.
After opening the scanner app for the first time and agreeing to submit anonymous results, the app scanned the device and sent a report of the results to Check Point. These reports included the device make and model, the version of Android installed on the device, the date of the latest installed Android security update, and indicators for the four vulnerabilities. Subsequent device scans did not generate additional reports.
Results
Almost two-thirds (63%) of the devices scanned were affected by at least one QuadRooter vulnerability. This correlates with Check Point’s initial assessment that QuadRooter affected at least 900 million out of approximately 1.4 billion Android devices (64%).
The analysis of Android user’s update habits was particularly grim. The vast majority of users did not have the latest Android security patch installed, leaving them vulnerable.
The number of users affected by vulnerabilities like QuadRooter highlights just how critical it is to install the latest security updates right away. However, these updates can take time to develop and deploy. For QuadRooter, users were actually exposed for quite some time.
It’s clear Android fragmentation can cause vulnerabilities to remain unpatched for weeks or even months. During these months, even devices with the latest security update installed can remain exposed. All four QuadRooter vulnerabilities were reported between February and April, but Android updates were made available to users only between June and September.
- CVE-2016-2059
- February 2, 2016: Check Point discloses vulnerability to Qualcomm
- February 10, 2016: Qualcomm confirms vulnerability
- April 29, 2016: Qualcomm releases public patch
- Google includes SELinux rule to block exploitable code paths in Android.
- CVE-2016-2503 and CVE-2016-2504
- April 4, 2016: Check Point discloses vulnerabilities to Qualcomm
- May 2, 2016: Qualcomm confirms vulnerabilities
- July 6, 2016: Qualcomm releases public patches
- Google includes patch for CVE-2016-2503 in its July 2015 Android security update
- Google includes patch for CVE-2016-2504 in its August 2016 Android security update
- CVE-2016-5340
- April 10, 2016: Check Point discloses vulnerability to Qualcomm
- May 2, 2016: Qualcomm confirms vulnerability
- July 28, 2016: Qualcomm releases public patch
- Google will include patch in its September 2016 Android security update
Recommendations
Check Point continues to recommend organizations encourage employees to follow these best practices to help keep Android devices safe from attacks:
- Download and install the latest Android updates as soon as they become available. These include important security updates that help keep your device and data protected.
- Understand the risks of rooting your device – either intentionally or as a result of an attack.
- Examine carefully any app installation request before accepting it to make sure it’s legitimate.
- Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by downloading apps only from Google Play.
- Read permission requests carefully when installing any apps. Be wary of apps that ask for permissions that seem unusual or unnecessary or that use large amounts of data or battery life.
- Use known, trusted Wi-Fi networks or while traveling use only those that you can verify are provided by a trustworthy source.
- End users and enterprises should consider using mobile security solutions designed to detect suspicious behavior on a device, including malware that could be obfuscated within installed apps.
For users who use their personal Android devices for work purposes, Check Point also recommends the following considerations:
- Enterprises should deploy a mobile security solution that detects and stops advanced mobile threats.
- Contact your mobility, IT, or security team for more information about how it secures managed devices.
- Use a personal mobile security solution that monitors your device for any malicious behavior.
Learn the technical details of QuadRooter: Download our report today.