The Quadrooter vulnerabilities made a lot of people take notice because the scale of affected Android devices (more than 900,000) put it on a level with Stagefright and other bugs that impact a large majority of the Android ecosystem.
Some details on the four vulnerabilities were publicly disclosed at DEF CON in August by researchers at Check Point Software Technologies, who warned that popular handsets made by Samsung, Motorola and others were affected, and that the vulnerabilities put those devices at risk to complete compromise.
Two of the four vulnerabilities were patched in July and August respectively, and today, Google patched the two remaining vulnerabilities in its monthly Android Security Bulletin. Today’s patches were pushed out today to Nexus devices in an over-the-air update, while partners were given the updates Aug. 5. The Android Open Source Project is expected to receive the patches within 48 hours.
The vulnerabilities enable privilege escalation and open the door to remote attacks. Multiple subsystems of the Qualcomm chipset are affected and the vulnerabilities can be exploited to bypass existing mitigations in the Android Linux kernel, allowing an attacker to gain root privileges, Check Point said.
The easiest way to compromise Android devices vulnerable to Quadrooter would be to trick the victim into downloading a malicious app. The flaws are in Qualcomm drivers that control communication between different components in the chip.
Google patched today CVE-2016-5340 and CVE-2016-2059. CVE-2016-5340 is a bug in Android’s memory allocation subsystem called ashmem, while CVE-2016-2059 is in the Linux inter-process communication router module.
Both flaws allow for root access and successful exploits would require for a device to be re-flashed, Google said.
The previously patched bugs, CVE-2016-2503 (July) and CVE-2016-2504 (August), addressed use-after-free flaws tied to race conditions in the kernel graphics support layer, a Qualcomm GPU component.
Google today published three different patch levels: Sept. 1, 5 and 6.
Sept. 1 includes patches for two critical flaws, one in LibUtils and another in Mediaserver, both of which are remote code execution bugs, as is another rated high severity in MediaMuxer.
LibUtil and Mediaserver bugs have been patched before in Android; Mediaserver bugs were at the heart of last summer’s Stagefright vulnerabilities. All of these flaws, including the MediaMuxer issue, can be exploited via specially crafted media files. They affect all Nexus devices.
The Sept. 5 patch level addresses five critical vulnerabilities, two in the kernel security subsystem, one in the kernel networking subsystem, one in the kernel netfilter subsystem and one in the kernel USB driver. All five are privilege escalation vulnerabilities and all five can give a hacker the means to execute arbitrary code at the kernel level.
The Sept. 6 patch level, meanwhile, includes just the two Quadrooter fixes.