Android Security

Are You One Of 900 Million Android Users Exposed By QuadRoot?

Gavin Phillips 29-08-2016

Android vulnerabilities evoke the same feelings as a massive data breach What You Need To Know About the Massive LinkedIn Accounts Leak A hacker is selling 117 million hacked LinkedIn credentials on the Dark web for around $2,200 in Bitcoin. Kevin Shabazi, CEO and founder of LogMeOnce, helps us to understand just what is at risk. Read More : an all-to-common occurrence that I might find myself part of. At least with a massive data breach I have an opportunity to cut my accounts off and cauterize the data-wound. With the latest Android bug — QuadRoot — this simply isn’t an option.


This is in no small part due to the fact the vulnerability doesn’t entirely lie with Android. No, your device has been potentially compromised by American hardware manufacturing giant Qualcomm, and their esteemed popularity as the powerhouse of choice for the myriad Android devices around the world.

This bug is slightly different to the norm. Where Android bugs usually affect a single, or small number of manufacturers using a specific set of hardware, QuadRoot is estimated to affect some 900 million Android users around the globe. That’s you, and I, and everyone you’ve ever loved.

Let’s look at what QuadRoot is, what it means for you, and just what on earth anyone is actually doing to fix it.

QuadRoot Is Big

A couple of things set QuadRoot apart from other Android bugs we’ve encountered over the last few years. For starters, Check Point, the security research team who discovered the bug explain that:

“QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device.”

They list the four security vulnerabilities as:

  • CVE-2016-2503 discovered in Qualcomm’s GPU driver and fixed in Google’s Android Security Bulletin for July 2016.
  • CVE-2016-2504 found in Qualcomm GPU driver and fixed in Google’s Android Security Bulletin for August 2016.
  • CVE-2016-2059 found in Qualcomm kernel module and fixed in April, though patch status is unknown.
  • CVE-2016-5340 presented in Qualcomm GPU driver and fixed, but patch status unknown.

Is My Device Vulnerable?

As Qualcomm is the world’s leading designer and manufacturer of LTE (Long Term Evolution) chipsets, commanding around 65% of the LTE baseband modem market, there is a significant chance that your device will be exposed. You can check if your device is vulnerable by using the QuadRooter Scanner [No Longer Available], developed and published by Check Point (the guys who found the vulnerability). I have a OnePlus One Top Six Best Features Of The OnePlus One -- And One Drawback I've been living with the OnePlus One for a few weeks now, and it's amazing, but it's not perfect. Let's run through some of the best features -- and one downside. Read More :

QuadRoot Application Scan and Result Panorama

Sad times for me, indeed.


Am I Likely To Be Exploited?

Check Point advise that it is relatively easy to expose a device with any one of these vulnerabilities.

“An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.”

This isn’t a flaw that has been introduced by a firmware update. The vulnerability was present when your device shipped. The flaw, found in software drivers which control communication between chipset components, can realistically only be fixed by the device manufacturer through an OTA update.

Unlike last year’s Stagefright bug How 95% of Android Phones Can Be Hacked with a Single Text A new Android vulnerability has the security world worried - and it leaves your smartphone extremely vulnerable. The StageFright bug allows malicious code to be sent by MMS. What can you do about this security... Read More , QuadRoot actually requires the installation of a malicious app, likely after enabling app installations from “Unknown Sources.” 10 Best Android Apps Not in the Play Store The Play Store isn't the end-all-be-all of Android apps. If you've never ventured outside of it, you're really missing out. Read More As well as this, and as Google have pointed out in their statement (which you can read in the following section), Android’s “Verify App” feature is designed to protect against this exact type of vulnerability. This feature arrived with Android 4.2 Jelly Bean, and given that well over 90% of all Android devices are now running this version or later, and that this bug only affects the aforementioned chipset – I think everything will be okay.

Android Versions in Use 2016


What’s Happens Now?

Being a professional security research company, Check Point informed Qualcomm of the vulnerability months ago. As such, they have already manufacturer a chipset patch that has been rolled out to your device manufacturer. The ball now lies firmly in their court.

A number of popular device manufacturers have already taken steps to reassure their user-base. In one case, the fix has already rolled out. Here are some of the major manufacturers, and their current status.


Google has moved swiftly to protect its users.


“Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided.”

As the core developers behind Android, Google were also keen to highlight the other security measures already in place for Android devices.

“Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these.”

Popular Devices: Nexus 5X, Nexus 6, Nexus 6P


As I mentioned above, one manufacturer had already rolled the fix out to it users. Kudos and praises be heaped upon handset manufacturing stalwarts, Blackberry.

“Three of the four vulnerabilities have already been fixed on PRIV devices with the August Marshmallow patch and on all DTEK50 devices. In addition, the secure boot chain present in all BlackBerry devices naturally mitigates the remaining issue. We’re not aware of any exploits for this vulnerability in the wild and we don’t think any customers are currently at risk from this issue.”

Popular Device: Blackberry Priv


Sony is working toward making the patches available for their Qualcomm devices.

“Sony Mobile takes the security and privacy of customer data very seriously. We are aware of the ‘QuadRooter’ vulnerability, and are working to make the security patches available within normal and regular software maintenance, both directly to open-market devices and via our carrier partners, so timings can vary by region and/or operator.”

Popular Device: Sony Xperia Z Ultra


Motorola are another manufacturer able to provide good news.

“Recently a potential security vulnerability, Quadrooter was discovered in certain Android devices. This potential vulnerability can only be exploited if a user disables the built in Android security measure and downloads a malicious application. For more information on how to ensure this is disabled, this link is helpful for consumers.”

Popular Device: Moto X


HTC have been somewhat quiet regarding QuadRoot, considering at least two of their devices are at risk of exposure.

“HTC takes customer security very seriously. We are aware of these reports and are investigating them.”

Popular Devices: HTC 10, HTC One M9


OnePlus has made contingency plans to include the QuadRoot update in its next patch.

“Security is a top priority for OnePlus. The relevant security patches will be included in the next OTAs (Over The Air updates) for all OnePlus devices.”


There has been no official statement from Samsung as yet.

Popular Devices: Galaxy S7, Galaxy S7 Edge


Again, there has been no official statement from LG as yet.

Popular Devices: LG G5, LG G4, LG V10

Time To Worry?

As with most security vulnerabilities, you have to remain vigilant. These vulnerabilities exist, but unless you download an app with the corresponding malicious code, you’re unlikely to find your device compromised.

The Google Play Store contains many millions of applications; the app containing malicious code How Android Porn Malware Steals Your Data Malicious porn clicker Trojans are masquerading as duplicate apps, waiting to infect your Android device. How prevalent are they? What happens if you download one, and most importantly, how can you avoid them? Read More designed to exploit these particular bugs could be anyone of them Piracy On Android: How Bad Is It Really? Android is notorious for its rampant piracy, so we investigate exactly how bad it is. Read More . As such, remain alert. Check feedback. Cross-check developer and publisher information. Look at download figures. Consider common scams. Don’t download ridiculous apps that offer to turn your phone into something it isn’t.

You should manage to evade any potential malefactors before your device manufacturer releases the patches to bring your security up to scratch 6 Android Security Apps You Should Install Today Android security apps - capable of blocking malware and phishing attempts - are necessary if you wish to run a safe and secure smartphone. Let's look at some of the best Android security apps currently... Read More . However, this latest bug yet again highlights the inherent risks present throughout the Android security model. Unlike Apple, who can simply develop a patch and rollout to their hundreds of millions of users, critical Android security patches have to pass through the entire supply chain of each manufacturer before reaching the users they’re designed to help.

I love Android, and will absolutely continue using it, but as a user, you must remain on guard.

Worried about QuadRoot? Does the number of Android vulnerabilities make you reconsider the platform? Let us know your thoughts below!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Kelsey Tidwell
    October 2, 2016 at 3:28 am

    I haven't checked my phone, and I don't plan on it. If it's vulnerable, it's vulnerable and I can't fix it. I'm not going to sit around gnawing my fingernails over an infinitesimally small possibility of an exploit on my phone.

    Because of App Verify and the fact that I don't load apps outside of Google Play Store, I'm not worried. The only people who should worry are the ones who purposely disabled the built-in security firewalls and loaded questionable apps from questionable sources.

  2. Simone
    September 4, 2016 at 7:06 pm

    I have a Galaxy S7. No vulnerabilities for me :)

  3. Anoop B Bharadwaj
    September 1, 2016 at 12:32 am

    When i scanned My Galaxy Note 4, it is vulnerable to CVE-2016-2059 and CVE-2016-2504. What is the next step?

  4. Timothy
    August 30, 2016 at 12:41 pm

    I have the Asus Zenphone 2 Deluxe and it is completely secure. It's also better spec'd than most phones out there with 4gb ram 2.3Ghz quad processor 64Gb storage and sd card slot. I'm glad I picked this over the more "mainstream" devices for Aussies.

  5. oliviedu
    August 30, 2016 at 10:34 am

    My device Wiko is afected by two vulnerabilities
    - cve-2016-2059
    - cve-2016-2504


    • oliviedu
      August 30, 2016 at 10:36 am

      Btw : my phone is
      - Wiko Rainbow Lite 4G
      - proc : qualcomm MSM8909
      - Android 5.1.1

  6. Alex C
    August 30, 2016 at 9:56 am

    HTC Desire 510, a budget smartphone from HTC, vulnerable to both. Great. I should just switch back to my Exynos-based international S3, if my EFS partition wasn't broken on that phone.

  7. Andrius
    August 30, 2016 at 9:07 am

    LG Nexus 5X no worries. Just scanned. everything is clean

  8. Gonik
    August 30, 2016 at 8:36 am

    Nexus 5, is vulnerable as well...

  9. Marc J
    August 29, 2016 at 3:46 pm

    Samsung Galaxy S4 shows vulnerable according to Quadrooter by Checkpoint. Time to move on I guess.