Google Says Android Bug Overblown

John Lister's picture

Google says a set of security flaws on Android devices may not be as serious as initially feared. It says 90 percent of devices should be largely immune from what's been dubbed the "Quadrooter" exploit.

A security research company found the problem in software which works with processors manufactured by Qualcomm, which are used in an estimated 900 million Android devices. The bugs affect the communication between different actions (known as processes) running on the phone at the same time.

The name of the exploit (Quadrooter) comes from the fact that there are four vulnerabilities which could allow root access to the phone, which then means malicious software could then be executed without the owner knowing.

Rogue Apps Could Get Total Access

Researchers at Checkpoint say the bugs aren't in the core Android operating system but rather in the software that phone and tablet makers add when building a device - in this case, to make sure the processor works.

They say that in theory users could be tricked into installing a rogue application which could exploit the vulnerabilities and effectively give remote control to all the functions and data of the device. This could mean turning the device itself into a spying tool. (Source: checkpoint.com)

Google Notes Existing Defenses

Google has welcomed Checkpoint's research, but points out that Android has safeguards that would severely restrict Quadrooter from working. It says apps exploiting such vulnerabilities are already blocked from the main Google Play app store, so hackers would need to trick the user into downloading and installing the rogue app from another source.

Android already warns users to think twice before installing unverified apps (which are not from the app store), requiring them to click a confirmation after seeing the message "Installing this app may harm your device." One of the four vulnerabilities could get through this way, but only if the user went ahead with the installation despite the warning. Google plans to issue a patch for this vulnerability and is also encouraging manufacturers to issue a patch created by Checkpoint.

The other three vulnerabilities would all be caught by a feature called "Verify Apps," which was introduced in Android 4.2 and used on 90 percent of Android devices. Verify Apps scans any app from an untrusted source and, if it spots something suspicious, completely blocks the installation without giving the user any option to proceed. (Source: androidcentral.com)

What's Your Opinion?

Do you ever install Android apps from sources other than the Google Play store? Does Google do enough to maintain security while exercising less control and restriction than Apple? Is it right to completely block some apps rather than let the user take the final responsibility and risk?

Rate this article: 
Average: 4.8 (4 votes)

Comments

Stuart Berg's picture

I have an Android 5 (Lollipop) phone. I was HUGELY disappointed to find out that the Google Play Store would not permit me to install a necessary (to me) home automation app called Wemo, even though Wemo was supposed to be compatible with Android 5. So I ended up downloading and installing Wemo from http://apkdler.com . Wemo on my Android 5 does have a minor problem, but it doesn't bother me at all. If the Google Play Store had allowed me to install it with the caveat that it might not work perfectly, I wouldn't have looked elsewhere to get it.