Scary Android vulnerability affects nearly 1 billion phones

Researchers have discovered a new form of Android malware, and it's pretty scary how many phones are vulnerable. If you have Google's Nexus 5X, Nexus 6 or Nexus 6P, HTC's One M9 or HTC 10, BlackBerry's DTEK50, or Samsung's Galaxy S7 or S7 Edge -- some of the most popular Android models in the world -- your phone, and all the data on it, could be at risk.

The vulnerability is called "QuadRooter," named after a piece of software native to Android devices with Qualcomm chipsets. Theoretically, an attacker would lure a user into installing a malicious app -- most likely from a third-party app store (it's unlikely on Google Play, though malware has gotten through before). The malware would then exploit one of the four security vulnerabilities of QuadRooter, granting the attacker root access, which means all bets are off -- all of the device's data and hardware would be exposed.

"We found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems," said Adam Donenfield, the mobile security researcher who led the team that identified the flaws, at Sunday's Def Con security conference in Nevada.

So far, three of the four flaws have been fixed in Google's last monthly Android security update, but one was not fixed in time for the update's release. While the fourth flaw should be fixed for September's update, Qualcomm has already provided the patch's code, so the fix could come sooner via device manufacturers.

Still, because Google must release patches to manufacturers (who must then work with wireless carriers worldwide to adapt the update to their devices) instead of to users directly, virtually none of the affected phones have the fix. At least Nexus owners, which run stock Android, will likely be first in line.

To check if your device has vulnerability, you can download QuadRooter Scanner for free from Google Play.