Researchers from security firm Check Point announced at this year’s DefCon security conference that up to 900 million smartphones may be vulnerable to a set of up to 4 vulnerabilities that appear in Qualcomm-powered devices. Discovered earlier this year and reported to the manufacturer, Qualcomm has since published fixes, but not all manufacturers have pushed these fixes to all the affected models, including Google’s own Nexus line which normally has a reputation for being kept more current than most Android devices.
What this means for you:
Based upon the affected Qualcomm chipset impacted by these four vulnerabilities, the following models are impacted:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
To find out if your phone is affected by the vulnerabilities, you can run this app on the Google Play Store: QuadRooter Scanner. Buyer beware: the app developer is very transparently marketing its mobile protection app through the publicity surrounding their discovery. I don’t begrudge them the opportunity – after all they did the hard work to discover these flaws, but I didn’t install their software as I am confident I can keep my device safe, and I’m sceptical of mobile security apps in general. If the app reports that you are vulnerable, it will state which CVE’s are still unpatched on your device. You have a few options at this point:
- Check to see if any outstanding OS updates are available to be installed on your device. Where this is shown will vary depending on your phone’s manufacturer, but typically it will be found in “Settings”
- Avoid “side-loading” apps from dodgy sources. Only install apps from the Google Play store and nowhere else. Even then, think twice and read the reviews on any new apps, especially ones that seem to be very new – hackers have been known to sneak malicious apps onto the Play Store for a short while before being detected and removed.
- As usual, avoid opening strange emails, URLs and attachments on your device.
- Send an email to your device manufacturer asking them when they plan to patch the vulnerabilities on your phone. The more people that write in, the more likely the manufacturer will move faster on deploying the fixes.