QuadRooter, Verify Apps and Why Patching is Still Cool
On Monday, Check Point released a blog post detailing a new set of vulnerabilities dubbed QuadRooter that affects 900 million Android smartphones and tablets that use Qualcomm chipsets. Google has since responded with the following quote:
We appreciate Check Point’s research as it helps improve the safety of the broader mobile ecosystem. Android devices with our most recent security patch level are already protected against three of these four vulnerabilities. The fourth vulnerability, CVE-2016-5340, will be addressed in an upcoming Android security bulletin, though Android partners can take action sooner by referencing the public patch Qualcomm has provided. Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these. – Google
Verify Apps is a feature that regularly checks devices for dangerous applications. It will warn you if you are about to download a potentially dangerous application and, in the event that an app is deemed too dangerous, Verify Apps will prevent installation altogether. This determination is made by Google Bouncer, an internal service that analyzes apps, similar to how antivirus tools try to detect malicious programs.
Verify Apps stands as the last level of protection in case malware evades Bouncer and is available through Google Play or if it is sideloaded. (Learn more in Duo CTO & Co-Founder’s Jon Oberheide and Dr. Charlie Miller's Dissecting the Android Bouncer, a Duo Tech Talk throwback to 2013).
Along the same lines, SafetyNet is an API that allows apps to leverage Google services that can assist in the assessment of the health and safety of an Android device. Thus, it can detect if a device has been rooted or infected with malware.
When it comes to QuadRooter, Verify Apps can go a long way in providing extra protection to Android users. And with it being enabled by default since Android version 4.2, approximately 90% of Android devices are already taking advantage of this feature, if it hasn’t been deliberately turned off. Furthermore, those who are running a version older than 4.2 can manually enable Verify Apps by going into the Google Settings app. So then things aren’t that bad, right? Not quite.
You shouldn’t rely solely on Verify Apps to protect your devices. Accurately detecting malicious applications is a nontrivial problem and, despite Google’s best efforts, malware has evaded Bouncer before and been made available through Google Play. Thus, the only way to ensure that your device is protected against QuadRooter and other known vulnerabilities is by applying the monthly Android security patches.
We’ve written previously about the importance of monthly security patches, but QuadRooter underscores how crucial it is to apply these patches in a timely manner. With the availability of monthly patches being largely determined by carriers and OEMs (Original Equipment Manufacturers), we encourage you to pick a Nexus device if you have the option of choosing your handset.
So while QuadRooter should be taken seriously, neither the 900 million nor the 10% figure tell the whole story. The truth is that the actual number of vulnerable devices falls somewhere in between - and the best way to protect yourself is by applying monthly Android security patches.