A large percentage of Android devices is affected by security vulnerabilities that could be exploited by attackers to easily gain a Root Access. More than a Billion of Android devices are at risk of a severe vulnerability in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on the device. If you’ve got a Qualcomm Snapdragon chip in your Android phone and tablet, make sure you grab its latest security updates – if you can.
Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm’s kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root access and taking full control of your device.
Google has fixed this latest flaw with Android but Trend Micro warns that fragmentation in the Android ecosystem means hackers can still exploit it. While Google will no doubt be looking for apps that exploit the flaws, its scanning systems are far from perfect, and any poorly policed third-party app stores will no doubt wind up featuring free games that carry an unpleasant payload. Android users need to be very careful of installing any mobile apps from untrusted sources.
Gaining root access on a device is a matter of concern, as it grants attackers access to admin level capabilities, allowing them to turn your device against you to snap your pictures, and snoop on your personal data including accounts’ passwords, emails, messages and photos.
The company’s own website notes that Qualcomm Snapdragon SoCs (systems on a chip) power more than a Billion smart devices, including many Internet of Things (IoTs) as of today. Thus, the issue puts many people at risk of being attacked.
Although Google has pushed out updates after Trend Micro privately reported the issues that now prevents attackers from gaining root access with a specially crafted app, users will not be getting updates anytime soon.
If you ask any iOS user about what makes them happy to stick around for with the same device for years, one of their replies would be “My device always runs on the latest version of iOS”. On the other side, Android users are plagued with losing out frequent security updates as well. So there comes the biggest issue with Android-powered devices. They are fragmented! Not all devices run on the latest version of Android.
The security update rolls out to your device through a long chain:
Qualcomm → Google → Your device’s manufacturer → Your network carrier → Your handheld over the air
“Given that many of these devices are either no longer being patched or never received any patches in the first place,” said Trend engineer Wish Wu, “they would essentially be left in an insecure state without any patch forthcoming.”
Unfortunately, what’s more concerning is the fact that the same vulnerable chips are used in a large number of IoT devices, which are no longer in line for security updates. This makes it possible for hackers to gain root access to these connected devices, which is more worrying.
“Smartphones aren’t the only problem here,” said Trend’s Noah Gamer. “Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk.”
“If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they’re dealing with.”
Whatever be the reason: if security patches are not available for your device model or take too long to arrive, in both the cases it gives miscreants time to exploit the security holes to gain control of your device.
However, some users are lucky to choose Google’s handsets that get their patches direct from the tech giant automatically, making them safe from the vulnerabilities. The handsets include Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10.
All of the smart devices using the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.
The vulnerable code is present in Android version 4 to version 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable versions of Qualy’s code.
Though the researchers do not have access to every Android handset and tablet to test, the list of vulnerable devices is non-exhaustive.
Since the researchers have not disclosed full details about the flaws, the short brief about the vulnerabilities is as follows:
Trend Micro security discovered this particular vulnerability, which is described as a logic bug when an object within the kernel is freed. A node is deleted twice before it is freed. This causes an information leakage and a Use After Free issue in Android. (UAF issues are well-known for being at the heart of exploits, particularly in Internet Explorer.)
This particular vulnerability lies in the function get_krait_evtinfo. (Krait refers to the processor core used by several Snapdragon processors). The function returns an index for an array; however, the validation of the inputs of this function are not sufficient. As a result, when the array krait_functions is accessed by the functions krait_clearpmu and krait_evt_setup, an out-of-bounds access results. This can be useful as part of a multiple exploit attack.
Gaining root access
Using these two exploits, one can gain root access on a Snapdragon-powered Android device. This can be done via a malicious app on the device. To prevent further attacks that may target either the patched vulnerabilities or similar ones that have yet to be discovered, security experts are not disclosing the full details of this attack.
Trend Micro researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.
Michael Shaulov, head of mobility product management at Check Point, told SCMagazineUK.com that it’s critical to ensure that devices are using the most up-to-date software versions to protect against known vulnerabilities.
“Unfortunately, updating software is clearly not enough as it can take months for vulnerabilities to be patched. This leaves plenty of time for attackers to exploit and use them as weapons. So it’s also important to use security measures that are able to detect malicious applications that try to conduct any sort of privilege escalation,” he said.
Mark James, security specialist at ESET, told SC that he expects to see more of these types of problems on platforms where there is such a vast range of operating versions.
“Android is one of the worst as the users often forget the importance of keeping mobile devices up to date – and not just application’s but operating systems as well. But with so many suppliers either not updating or being very late in releasing updates, it is a security minefield.”
James added that if your devices are not being patched as frequently as liked then your only choice for security is limiting apps or services allowed to be installed.
If you restrict or vet your software then you limit the attack vector for malware to strike. There are many mobile device management options available to you that should be installed alongside a good internet security product to help keep your device safe.
About the fragmentation issue with the Android update
Let’s see how does Google plan to fix it.
Is Google taking steps to fix this fragmentation issue with the Android N update?
With Android N, Google is trying to split the whole operating system into two parts: the core OS (the framework that makes everything work) and the interface built on top of it (the apps, launcher, notifications, and everything else the user interacts with).
Out of two, Google takes care of the core OS. Adds all the necessary files into it. Build libraries that can be exposed as services a.k.a API’s for vendors to utilize that and build whatever they want. The second part, the interface can be handled both by Google and the vendor. Google will pack stock UI while giving it out to vendors. But this section can be edited by vendor according to their needs. Samsung will be happy to just work on their Touchwiz UI without touching the core of Android.
Yes, Google will provide the both of these to the vendor. They can edit the core OS if needed. But Google is trying to eliminate that headache from the vendors. Thus making (or forcing) them to keep their device updated always.
How that is going to help me or you is, Google will have an easy access to push security updates as a part of core OS or a framework. The vendor can push the update for their interface. Let Google worry about fixing those Android bugs and push the update and being a vendor, I will just worry about my own proprietary parts of the OS.