Making up roughly 65% of the market, Qualcomm builds chips that power most of the world’s mobile phones. Unfortunately, an Israeli-based firm called Checkpoint recently uncovered major security flaws in the chip, dubbed QuadRooter, that could affect as many as 900 million people.
The flaws could leave users exposed to a number of cyberattacks, including "privilege escalation for the purpose of gaining root access to a device." This could be done without the user’s knowledge.
"An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing," Checkpoint wrote in its report.
"If exploited, QuadRooter vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them. Access would also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio," the report reads.
Since being discovered, patches have been announced for three of the flaws. A fourth is still in development. But users are unable to obtain the solutions individually, and must rely on their manufacturers to do so.
"Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm."
While QuadRooter may be specific to Qualcomm and Android devices, it could be an indication of broader problems within the industry.
"This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users," the report says.
"Once available, the end users must then be sure to install these updates to protect their devices and data."