Another huge hole in Qualcomm Snapdragon-produced SoC devices

[Elixer]

http://blog.trendmicro.com/trendlab...droid-vulnerabilities-allow-easy-root-access/

The company’s own website notes that more than a billion devices use Snapdragon processors or modems. Unfortunately, many of these devices contain security flaws that could allow an attacker to gain root access. Gaining root access on a device is highly valuable; it allows the attacker access to various capabilities they would not have under normal circumstances.

We recently found vulnerabilities affecting Snapdragon-powered Android devices, which could be exploited by an attacker in order to gain root access on the target device simply by running a malicious app. These vulnerabilities have now been fixed by Google; we reported these problems to them privately to allow a patch to be created and distributed to the public. However, given the fragmented nature of vulnerability patching in the mobile and Internet of Things (IoT) space, many users will not be able to receive the needed security update and may continue to be at risk of, among others things, information exposure.

I can't help to think of all the devices that CAN'T be patched... what are they going to do, recall a billion devices? Class action to stop the madness?

 

[John Connor]

I run Avira on my phone. I wonder if that could help? It scans Apps on install.

Related: http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/

 

[Elixer]

I suppose it could, if there isn't any 0 day stuff coming in, and they keep updated definitions, however, that won't help with sleeper trojans that would download their (encrypted) payload, since Avira already checked the app once, and it doesn't constantly scan stuff, and it don't seem to scan ads either, which is another way to get your device infected.
It also doesn't have root access (unless you rooted your phone), so, while it is better than nothing, it can only do so much.

 

[John Connor]

Yeah, I have not rooted my phone. I was, then one day I read it wasn't a very good idea due to this very thing so I won't.

I use uBlock in Firefox on my phone, but the Facebook and Twitter App could be an issue. Ads are carried in those like nothing.

 

[Elixer]

What is stupid is, while they can push patches to the phone, you don't see them doing it very often and sometimes never.
This is why the 3rd party firmware is better, they are on top of this stuff, so you can always be up to date.
Thing with that is, the phone companies don't want to play ball with them, and some have made it so you lose your phone access if you root it.
This is why we really need a class action suit to force them to update on all these 0 day exploits.