Security Alert (A16-08-02): Multiple Vulnerabilities in Android

Description:

Multiple vulnerabilities are found in Android devices built on Qualcomm chipsets called "QuadRooter". An attacker could exploit these vulnerabilities using a malicious app which requires no special permissions.

Affected Systems:

The following is only a sample list of Android devices that are using Qualcomm chipsets. The list is not exhaustive and it is strongly recommended to consult the Android phone supplier and/or device manufacturer if the mentioned chipsets were used:

• BlackBerry Priv
• Blackphone 1 and 2
• Google Nexus 5X, 6 and 6P
• HTC One M9 and HTC 10
• LG G4, G5, and V10
• New Moto X by Motorola
• OnePlus One, 2 and 3
• Samsung Galaxy S7 and S7 Edge
• Sony Xperia Z Ultra

Impact:

A successful attack could lead to information disclosure, privilege escalation, or complete control of the device.

Recommendation:

To address all QuadRooter vulnerabilities, Google has provided patches to device manufacturers for their further testing and distribution to their customers’ devices. Users shall ascertain that the Android devices are updated with the patches once available. Users should contact the device manufacturers for the patch availability and details.

• Do not download and install unnecessary apps.
• Do not install Android apps (.APK files) or download apps from third-party or unofficial sources.
• Patch the mobile devices once the fixes are available.

More Information:

https://source.android.com/security/bulletin/2016-09-01.html
https://www.hkcert.org/my_url/en/alert/16080901
http://blog.checkpoint.com/2016/08/07/quadrooter/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4653