Nearly a billion phones open to hackers
Owners of Android phones are being warned that they are vulnerable to hackers, who could steal data, gain control of the phone and plant malware.
The problem's believed to affect a whopping 900 million phones worldwide that run on chips made by Qualcomm, including popular models from the likes of HTC, Motorola and Samsung.
It was first uncovered by security firm Check Point, which identified four errors in the software drivers handling graphics processing and communication between different tasks running on the phone.
"Any Android device built using these chipsets is at risk," says Check Point's Adam Donenfeld.
So far, attackers don't appear to have taken advantage of the flaws; and three of the four have already been fixed, with a patch for the fourth on its way. However, this doesn't mean that phone users are safe.
"Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier," says Donenfeld.
"Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm."
As a result, the firm says it expects to see criminals exploiting the security flaw within weeks unless patches are sent out to phone users.
Owners of Nexus phones should already be protected from the first three flaws, as long as they've been accepting over-the-air updates. However, owners of other affected models will have to wait for manufacturers to get their own updates out.
In the meantime, Checkpoint has created an app called QuadRooter Scanner, allowing owners to check whether their phone is vulnerable.
The company advises always downloading and installing the latest Android updates as soon as they become available, and examining any app installation request carefully.
"Be wary of apps that ask for permissions that seem unusual or unnecessary or that use large amounts of data or battery life," Donenfeld warns.
He also recommends avoiding side-loading Android apps (.APK files) or apps from third-party sources, instead sticking to apps only from Google Play.
Since last year's Stagefright bug, several manufacturers, including Google and Samsung, have promised to act more quickly issuing patches for security holes. However, this mostly applies to top-end phones only; it may be worth nagging your phone manufacturer to do more.
Affected phone models:
BlackBerry Priv
Blackphone 1 and Blackphone 2
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra
