Check Point researchers discovered a set of four vulnerabilities, named Quadrooter, affecting Qualcomm chipset software drivers used in Android devices. The flaws could affect 900 million devices running Android Marshmallow.
An attacker needs only to write a piece of malware and send it to a victim or deliver it through a malicious app, according to a Check Point report. Once installed, the malware provides the bad actor with privilege escalation which would allow them to gain root access on that device. They would then be capable of extracting data and manipulating the device's camera and microphone.
If exploited, the vulnerabilities can grant "complete control of devices and access to sensitive personal and enterprise data" to attackers, the report stated. "If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device."
Qualcomm released patches for all four vulnerabilities last month, although the process of individual Android devices releasing a patch can take anywhere from “several weeks to months, depending on the manufacturer, carrier, and Google,” Check Point mobile security evangelist Jeff Zacuto told SCMagazine.com.
Vulnerabilities can occur within any Android component. The unique challenge for the Android platform is that when patches affecting a hardware component are discovered, the patch then must “work its way through the Android supply chain,” Zacuto said.
Nexus devices received patches for three of the flaws in Google's most recent monthly security update, and a patch for the fourth will be issued in the upcoming September update, Zacuto said.