What you should do about Qualcomm QuadRooter vulnerability?

John McCann from Techradar has posted a comprehensive list of devices that are impacted by Qualcomm QuadRooter, the series of four severe vulnerabilities that affects up to 900 million Android devices. He points out what users need to do if they are impacted by any of these.

The mobile device manufacturers he details include Samsung, Sony, HTC, Google Nexus, OnePlus, Motorola, LG, and BlackBerry.

http://www.techradar.com/us/news/phone-and-communications/mobile-phones/android-quadrooter-vulnerability-should-you-be-worried–1326286

All Android users are encouraged to first check their device with the free QuadRooter Scanner app from Trustlook. Then, if they are impacted, users should contact their device manufacturer for a security patch.

Don't be Fooled by Fake QuadRooter Patches

It’s bad enough that nearly 900 million Android users are impacted by Qualcomm’s QuadRooter vulnerability. Now, we are learning that scammers published two Android apps on Google Play that claimed to fix QuadRooter flaws but instead serve unwanted ads. This clearly is an attempt to exploit the uncertainty about which devices will receive the Android security updates.

The two apps were named “Fix Patch QuadRooter” by Kiwiapps Ltd., and claimed to patch the Android system. Already pulled from Google Play, these apps were malicious. On top of that, one of them required payment (costing 0.99 EUR).

QuadRooter is a set of four vulnerabilities (CVE-2016-2059, CVE-2016-2503, CVE-2016-2504, CVE-2016-5340, CVE-2016-2060) affecting an estimated 900 million Android smartphones and tablets built using Qualcomm chipsets.

All Android users are encouraged to first check their device with the free QuadRooter Scanner app from Trustlook. Then, if they are impacted, users should contact their device manufacturer for a security patch.

Sony Mobile is Releasing a Fix for Qualcomm Quadrooter Vulnerability

Users of Sony smartphones can breathe a little easier. The company has announced that patches are being released that address the widespread Qualcomm QuadRooter vulnerability that impacts close to 900 million Android phone users.

Here is Sony Mobile’s official comment on the Quadrooter Android vulnerability:

“Sony Mobile takes the security and privacy of customer data very seriously. We are aware of the ‘Quadrooter’ vulnerability and are working to make the security patches available within normal and regular software maintenance, both directly to open-market devices and via our carrier partners, so timings can vary by region and/or operator. Consumers are recommended to continuously upgrade their phone software in order to optimize performance of their Xperia™ smartphone. Users can take steps to protect themselves by only downloading trusted applications from reputable application stores.”

Even with this news, all Android users are encouraged to check their device with the free QuadRooter Scanner app from Trustlook.

 

Trustlook Updates Qualcomm QuadRooter Scanner Android App

Trustlook has updated its popular Qualcomm QuadRooter Scanner App in an attempt to improve the app’s stability. QuadRooter is a set of four vulnerabilities (CVE-2016-2059, CVE-2016-2503, CVE-2016-2504, CVE-2016-5340, CVE-2016-2060) affecting an estimated 900 million Android smartphones and tablets built using Qualcomm chipsets. The key updates to the app are as follows:

1. Improved descriptions for QuadRooter-related vulnerabilities

2. Added more information on “What is QuadRooter?” and “How can I stay safe?”

3. Added details on each CVE (Common Vulnerabilities and Exposures) type related to QuadRooter

4. Updated design

5. Improved stability

Please visit the Google Play store to update to the latest version of the QuadRooter detection app.

Screenshot_2016-08-11-16-59-55

Top 5 Ways to Protect Yourself Against Qualcomm’s QuadRooter Vulnerability

QuadRooter is a set of four vulnerabilities (CVE-2016-2059, CVE-2016-2503, CVE-2016-2504, CVE-2016-5340, CVE-2016-2060) affecting Android devices built using Qualcomm chipsets. It is estimated that a staggering 900 million Android smartphones and tablets could be affected. Here are 5 ways to protect yourself against this vulnerability.

1. The most important thing you can do is avoid the problem in the first place. Only download apps from known sources. In your Android device’s security settings, make sure you have unchecked “Unknown sources.” This way you will be alerted if you attempt to install an app from a potentially unsafe source.

Screenshot_2016-08-10-16-44-51

2. Scan your Android mobile phone with the free Qualcomm QuadRooter Scanner app available from the Google Play store. The app is small (less than 2mb) and takes only a few seconds to run. In addition to the four QuadRooter vulnerabilities, this app also detects the Qualcomm Tether Controller Vulnerability (CVE-2016-2060).

Screenshot_2016-08-10-16-50-44

 

3. Visit your phone manufacturer’s website for any available security patches, especially if you have one of the following highly-vulnerable devices:

  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • BlackBerry Priv
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra
  • Blackphone 1 and Blackphone 2

4. Make sure your Android device is running the most up-to-date operating system. That would be either 5.1.1 (Lollipop) or 6.0.1 (Marshmallow) depending on your device.

Screenshot_2016-08-10-17-16-20 (1)

5. Always have a mobile antivirus app installed on your Android device. Trustlook Antivirus and Mobile Security can be download for free from the Google Play store.

Screenshot_2016-08-10-17-18-05 (1)

Trustlook App Detects Qualcomm QuadRooter Vulnerability

Trustlook released a free Qualcomm QuadRooter Scanner application (available on Google Play) that enables Android phone owners to check if they are exposed to QuadRooter, the widespread vulnerability affecting millions of Android devices. If their device is exposed, the user may be able to download a software update from the device manufacturer that contains a security patch.

First detailed by security researchers at Check Point at DEFCON 24 in August 2016, QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. In total, Check Point estimates that 900 million Android smartphones and tablets could be affected.

If any one of the four vulnerabilities is exploited, third party apps could gain special system privileges, or access to a user’s SMS database or phone history, without a user’s knowledge. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.

Trustlook is working on providing detection against any additional Qualcomm vulnerabilities that may occur. Any user with a Qualcomm powered mobile device or tablet is encouraged to continually monitor their device.

Download the free QuadRooter Scanner app here.

Customizable Trojan hides itself and silently collects confidential information

This malicious app was detected by Trustlook as “Android.Trojan.Hideicon”, with a severity rating of 8/10 (High Risk). It disguises itself as a WiFi utility program and steals user’s information. The app targets smartphone users in Brazil, and because of this, the Trojan uses text written in the Portuguese language.

The research Trojan package can be identified as having the following characteristics:

  • MD5: 37B9D06D45246FFCAB932A24D129DACE
  • SHA256: 8F88208D6654A1B25CE9689A9569E2EE16501B25101EF316F50A6B50CED849C0
  • Size: 872359 bytes
  • App name: WiFI
  • Package name: com.wifi.wifi

The package icon is:

Screen Shot 2016-08-09 at 11.02.46 AM

 

Upon execution, the app persuades the user to grant device administrator access in order to maintain the persistence on the system:

Screen Shot 2016-08-09 at 11.04.23 AM

Screen Shot 2016-08-09 at 11.11.23 AM

If the device is rooted, the app keeps requesting root privilege:

Screen Shot 2016-08-09 at 11.13.12 AM

The app contacts “menspy.com” and sends the information via HTTPS:

Screen Shot 2016-08-09 at 11.13.28 AM

The unencrypted network traffic is shown below:

Screen Shot 2016-08-09 at 11.13.46 AM

The following code snippets demonstrate how the malware constructs and sends the above request:

Screen Shot 2016-08-09 at 10.53.33 AM

The website “meuspy.com” is behind the app. From the “How it works” section, the site claims:

“The system works as a spyware, it captures the phone information and sends it to the Web server, all data is stored on our server and can only be seen by you through a username and password, text messages are encrypted within the server, so if a hacker invades the server it will not be able to read the messages.”

The highlight feature of the service provided by the website is that the app can be customized and disguised as any other name to avoid users being able to find and uninstall it. If the device is rooted, it is even more difficult for users to get rid of it.

The malware can collect the following information from the device:

  • SMS
  • Contacts
  • Calling history
  • GPS location
  • Whatsapp messages
  • Photos and videos

In addition, the malware can perform the following actions:

  • Take picture
  • Record video
  • Record audio
  • Take screenshot
  • Update
  • Uninstall

The following code snippets are used to steal Whatsapp messages:

Screen Shot 2016-08-09 at 10.56.12 AM

The following code snippets are used to download the APK and upgrade itself:

Screen Shot 2016-08-09 at 10.56.32 AM

Summary
The Android.Trojan.Hideicon malware steals information silently and performs malicious actions without user’s consent. Moreover, it allows the attacker to customize the app in order to avoid the detection.