Around 900 million Android phones running on microchips produced by US firm Qualcomm were found to have serious security flaws that could give cyber attackers complete access to the users’ data.
The bugs were uncovered by CheckPoint Software Technologies, a Tel Aviv-based cyber security company, BBC News reports.
Checkpoint said there is no evidence at the moment that the vulnerabilities are being used in attacks by cyber criminals.
But Michael Shaulov, CheckPoint’s head of mobility product management, warned: “I’m pretty sure you will see these vulnerabilities being used in the next three to four months.”
“It’s always a race as to who finds the bug first, whether it’s the good guys or the bad,” he added.
It’s a serious issue. According to technology news website Wired, compromised devices would allow a hacker to collect any data stored on the phone, control the camera and microphone, and track its GPS location.
Hackers could even look into encrypted apps to see the user’s messages and emails or note down banking passwords as they are typed in, the Financial Times reported, citing Shaulov.
“It’s like giving someone the keys to your house, then holding the door open for them while they make off with the jewels,” Wired said.
Affected devices, according to the BBC, include: BlackBerry Priv, Blackphone 1 and Blackphone 2, Google Nexus 5X, Nexus 6 and Nexus 6P, HTC One, HTC M9 and HTC 10, LG G4, LG G5 and LG V10, Motorola’s New Moto X, OnePlus One, OnePlus 2 and OnePlus 3, US versions of Samsung’s Galaxy S7 and Samsung S7 Edge, and Sony Xperia Z Ultra.
CheckPoint said the flaws involved four issues, collectively called QuadRooter, which could be found in software that handles graphics and in a code that controls communication between different processes running inside a phone.
It’s not easy to address these issues. That’s because the Android operating system has been modified by various device makers that use it, unlike iOS which is solely controlled by Apple Inc., Wired explained.
“Android security updates are really hard,” Jeff Zacuto, a member of CheckPoint’s mobile research team was quoted as saying.
“The Android ecosystem is so fragmented. There are a lot of different versions and variants of Android in the marketplace, because each individual device has its own particular nuances.”
So although Qualcomm released patches for all four vulnerabilities between April and July, it will take time for the mobile phone manufacturers to incorporate them in their devices.
The Hong Kong Computer Emergency Response Team Coordination Centre, which is under the Hong Kong Productivity Council, said there is currently no vendor patch available to correct the flaws.
– Contact us at [email protected]