Missing patches leave Android at risk from Qualcomm flaw

Security experts say poor update distribution is to blame

60 per cent of Android devices are at risk due a security flaw in Qualcomm's mobile chips, according to security experts at Duo Labs.

Researcher Gal Beniamini disclosed last week that a problem in Qualcomm's Secure Execution Environment (QSEE) could allow hackers to take control of a device through a series of linked exploits.

Advertisement - Article continues below

There are caveats that should limit the threat: the offensive code must be delivered via a malicious app, and the flaw itself was patched in a January 2016 security update.

However, Duo Labs revealed that a majority of Android users are vulnerable to having their devices compromised by this process because they haven't updated their handsets. 

Duo Labs looked at data from 500,000 Android phones, of which 80 per cent use Qualcomm components, finding only a quarter have applied the relevant security patch.

This is due to the many problems surrounding patch distribution, the firm said. While Google's first-party Nexus devices receive patches as soon as they're released, updates for other phones have to go through multiple layers of approval first.

Once they're built by Google, they have to be applied by the individual OEM, then sent out to mobile providers, who then have to approve it and distribute it to their customers. The process that can take months.

Advertisement - Article continues below
Advertisement - Article continues below

And that's if devices are even eligible for the update in the first place. Duo Labs said that 27 per cent of Android phones are too old to qualify for such updates.

This means many phones are left out in the cold, unless the manufacturer creates a custom version of the patch or the user refreshes to a newer OS version - which many devices can't support.

To fall victim to hackers using the vulnerability, users would still have to install a malicious app. "Make sure you only install apps from well-known companies," Duo Labs advised. "It's not always easy, and definitely not fool-proof. But Facebook, for example, is a lot less likely to slip malicious code in its app, compared to lesser-known app developers that may try to make a quick buck by sneaking in malicious code."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



Evasive malware threats doubled in 2019

24 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Best free malware removal tools 2019

2 Mar 2020

Most Popular

Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020