Beware, Android users: Hong Kong watchdog issues ‘extremely critical’ warning as 900 million devices worldwide at risk

Problematic chipsets used by a wide range of mobile phone brands might not be fixed until at least September

PUBLISHED : Wednesday, 10 August, 2016, 11:06am
UPDATED : Thursday, 11 August, 2016, 12:03pm

The multiple vulnerabilities in 900 million Android devices around the world that could leave users’ sensitive data open to attack might not be patched completely until at least September, it emerged on Wednesday.

The development came a day after the Hong Kong Computer Emergency Response Team Coordination Centre – managed by the Hong Kong Productivity Council to coordinate computer security incident responses for local internet users – issued an “extremely critical” warning to Hongkongers.

“So far there have been no attacks [taking advantage of the vulnerabilities] yet,” Leung Siu-cheong, the centre’s senior consultant, told the Post.

“But users are strongly advised not to install unknown applications as attackers could exert full control of one’s device, such as recording conversations, stealing or even erasing one’s information, via malicious applications.”

Three out of four flaws were rectified in Google’s latest set of security updates, but the final fix, also known as a patch, would not be available until early September.

Hong Kong needs to bone up on security in drive for smart cities

The unsettling findings first emerged on Sunday when US-based IT security firm Check Point announced that a set of four vulnerabilities – also known as “QuatRooter” – had been identified in 900 million Android smartphones and tablets that use chipsets by Qualcomm, the world’s leading designer of such chipsets.

A wide range of brands such as HTC, Samsung, Sony, and LG use the problematic chipsets. Attackers exploiting these vulnerabilities could gain root access to a device by using a malicious app like a GPS tracking unit.

Leung said fixing the vulnerabilities required several steps: Google must first offer patches for the four bugs in the Android ecosystem so the device developers, such as Samsung and Sony, could update the patches in their own firmware for users to download.

Qualcomm first learned of these four flaws through Check Point between February and April, and made patches available for all four vulnerabilities available to its customers, partners, and the open source community between April and July, according to an emailed statement.

How mobile payment technology could pay off for Hong Kong

The company said it continued to “work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities”.

However, while all four patches were released, individual manufacturers had to adopt them because it was the manufacturers who installed the Qualcomm chips in their devices, according to an article in

Wired magazine. The result was a delay in the patches reaching actual users.

Exploitation of these issues depends on users downloading and installing a malicious application
Google spokesman

Google Nexus devices already have protections for three of the four issues, and the final update for Nexus will be ready by early September, a Google spokesman said. The company releases security updates for its Android devices every month.

The tech giant was also updating Google Play, Verify Apps, and SafetyNet to provide users with another layer of protection, the spokesman said.

“Exploitation of these issues depends on users downloading and installing a malicious application,” the company added. “So far, we have seen no evidence of exploitation.”

Check Point has encouraged ordinary users to download Android security updates as soon as they are available, to check the security of their devices with a Check Point app, and to be cautious in downloading third-party apps on their devices, according to a post on its website.