[andy957]

Why would you install an app, from a source you don't know, claiming to offer "security" for a price? What if that very app installed the hack you're bent out of shape over, and low and behold NOW you DO have verifiable malicious code, that the app you agreed to install, installed. You my friend, just infected your phone. Good job. Someone get this soul a cookie.

Dude before you post such a MALICIOUS post, why don't you go do some yoga. I installed an app from Google Play from Check Point, THE SAME PEOPLE WHO WRITE THE QUADROOT APP. Your apologies are accepted.

(Oh and by the way it's LO and behold. Study English much?)

[sorinv]

So what exactly, in layman's terms, is your point? ELI5.

All you have to do is to read my posts here. It is very clear.
Most of the rest of the posts here are on a different topic that has little to do with the thread.

The thread is about hardware firmware bugs which BlackBerry and other phone and OS manufacturers (Google, BlackBerry, Silent Circle, Samsung..) have no control over.

This is not malware. It's a security flaw in the Qualcomm Snapdragon 808 and 810 (I am guessing based on the list of phones affected) which was discovered by a security expert after 6 months of reverse engineering the Qualcomm code.

The passport or other bb10 phones are not affected because they use older qualcomm Snapdragon chips like the 801.

This is not android malware.

[sorinv]

In terms of the chips, that's a false assumption - namely that BlackBerry is somehow the only company to ever create hardware and software without any bugs.

The Russian guy is a security researcher for Check Point (a credible security research firm). His job (ie reason) is to find big bugs and make big bucks for his company.

The chips are more than a year old. Even though there's (yet) and proof of the exploit in the wild. But let's assume that a state or highly motivated actor did in fact exploit this before it was disclosed. It still doesn't limit the damage to Android. BB10 could just as easily been affected.

BB10 phones like the Passport would be affected if the software flaw were also present in the Snapdragon 801 or earlier. That has not been reported, but it is not out of the question.

[Jose Casiano]

That fixes three of the vulnerabilities, one still left.

I saw 4 vulnerabilities fixed here. Not sure if those are the four that they were talking about what do you guys think?

CVE-2016-3855
A vulnerability in the thermal driver can result in a local malicious application being able to corrupt memory, possibly resulting in a temporary denial of service.

CVE-2016-3850 (bootloader)

An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2016-2504 (GPU)
CVE-2016-3842(GPU)
Elevation of privilege vulnerabilities in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2016-3843 (performance component)
Elevation of privilege vulnerabilities in the Qualcomm performance component could enable a local malicious application to execute arbitrary code within the context of the kernel.


Posted via CB10

[Invictus0]

This is not malware. It's a security flaw in the Qualcomm Snapdragon 808 and 810 (I am guessing based on the list of phones affected) which was discovered by a security expert after 6 months of reverse engineering the Qualcomm code.

The passport or other bb10 phones are not affected because they use older qualcomm Snapdragon chips like the 801.

The article lists the HTC One and OnePlus One which have a Snapdragon 600 and 801 respectively.

HTC One - Full phone specifications

OnePlus One - Full phone specifications

[MBrettH]

Keep "allow installs from unknown sources" off, and you're good to go.

Most of the apps from KNOWN sources ask for too many intrusive permissions. Android OS is built first to track you, then make phone calls, thence comes the basis of the Google business model. I bought a Priv, but will always be disappointed in BlackBerry. They already had the best and most secure OS, and a recognizable name. They screwed up the marketing, it seems.

[MBrettH]

And certainly not anyone who would go into my settings, go to the security setup, turn off a security feature that has a warning, then install a malicious app on purpose.

The person who would do this to someone is the same person who would turn in their crime partner to get out of jail: "Someone you thought you could trust."

Don't trust anyone until they earn your trust. Then, watch your back.

[thurask]

The person who would do this to someone is the same person who would turn in their crime partner to get out of jail: "Someone you thought you could trust."

Don't trust anyone until they earn your trust. Then, watch your back.

[MBrettH]

You don't have to be in cahoots with anyone in order to have a rogue employee. A malicious employee, or an employee who has been compromised by a foreign entity, has happened before. Some foreign entities are very persistent.

[MBrettH]

There is that. Most of these companies have acknowledged installing backdoors to enable government snooping.

[Tsepz_GP]

Wrong. Ideas have value, that's why the copycats steal them. There's a brand new colour in the crayon set called "Korean litigation". It's right beside the other new colour called "I'm mad because I overpaid for a piece of copy-cat garbage".

Posted via BlackBerry Priv STV100-1

Yeah the Priv was overpriced, despite using lower grade Samsung components, shoddy build quality, look man you made a mistake, don't be mad.

[Gajja]

[url=http://www.bbc.com/news/technology-37005226]
It's interesting that Samsung (and Apple) are not on the list because they do not use the Qualcomm chip. They have their own. This also goes back to the security (lack thereof) of a phone designed and assembled in China.

Samsung and Apple phones have their own weaknesses. And I think Samsung/Apple phones, I dunno, just a few of them might also be Chinese made ;-)

[Bla1ze]

And this is why you don't get your nickers in a knot...90% of devices have it blocked anyway on Google side - Google confirms 'Verify Apps' can block apps with QuadRooter exploits | Android Central

[BBVill]

And just when they released "the most secure android device on the market"....

Posted via CB10

[rc69]

Staying with my Passport. Very happy with it.

Posted via CB10

[Tsepz_GP]

And this is why you don't get your nickers in a knot...90% of devices have it blocked anyway on Google side - Google confirms 'Verify Apps' can block apps with QuadRooter exploits | Android Central

THANK YOU!

This goes for almost all exploits found in the last 2-3years in Android. You would have to want to get the exploit in your phone to get it and that requires turning multiple security settings.

I've been saying this for a long time, these articles always conveniently forget to mention the multiple hurdles you have to go through for the exploit to infect your Android, and people who don't understand how Android works are the ones who cry about these exploits, while us Android users laugh it away, and get a security patch update for an exploit that wouldn't have affected us anyway.

Its great that we have people who find these exploits, but the tech blogs and so on tend to severely exaggerate these things.

And just when they released "the most secure android device on the market"....

Posted via CB10

Staying with my Passport. Very happy with it.

Posted via CB10

^^ These are the sort of people these articles are aimed at.

[Mecca EL]

Dude before you post such a MALICIOUS post, why don't you go do some yoga. I installed an app from Google Play from Check Point, THE SAME PEOPLE WHO WRITE THE QUADROOT APP. Your apologies are accepted.

(Oh and by the way it's LO and behold. Study English much?)

I'm a published author. And it's obvious you understood what I said. What I'm not understanding is what does language have to do with the matter at hand, unless that was your best attempt at expressing your superiority over English? Good for you !!!

Quadrooter is a codec, like Stagefright is. And if you installed an app that scans for a Quadroot and not Quadrooter, you've been scammed. So what it's on Google Play store, you don't know if what you just installed is in fact the malicious code you're attempting to avoid. Who are these "same people" ? Up until Baidu acquired ES File Explorer, I used that file manager for many years. But now this app phones home, so I don't use it anymore.

[whatsever]

It seems that BlackBerry Allready patch 3 out of 4 with the last update. Still one is open and don't install apps you download from somewhere else.

[Jerry A]

I'm a published author. And it's obvious you understood what I said. What I'm not understanding is what does language have to do with the matter at hand, unless that was your best attempt at expressing your superiority over English? Good for you !!!

Quadrooter is a codec, like Stagefright is. And if you installed an app that scans for a Quadroot and not Quadrooter, you've been scammed. So what it's on Google Play store, you don't know if what you just installed is in fact the malicious code you're attempting to avoid. Who are these "same people" ? Up until Baidu acquired ES File Explorer, I used that file manager for many years. But now this app phones home, so I don't use it anymore.

CheckPoint is the reputable security firm who discovered and disclosed the Quadrooter vulnerability.

In this case, their app is okay for scanning. Sorta like when Zimperium released an app for determine Stagefright exposure (Zimperium was the security firm that found Stagefright).

[anon(9742832)]

Hey wait a minute...you can't agree with me. I only write in crayon and post all kinds of pointless rubbish. Heh heh

Posted via BlackBerry Priv STV100-1

You know what they say, a broken clock is right twice a day...................LOL

[Sairos]

And which part would be false information?

The more accurate question is which part is not false information.

First, its a software problem.. "so the whole software can't secure hardware bugs" is false.. Its indeed fixed through a software update because its a problem in the software drivers.. rendering the whole point of the thread useless.

Second, the fact that Samsung phones are not affected is false too, they use Qualcomm alongside their chips and the S7 is affected.

Third point.. he argues phones assembled or produced in china can't be secure.. That's just funny.. Doesn't matter where you assemble or produce them.. Qualcomm is american yet the vulnerability is coming from them.. So it has NOTHING to do with China..

[andy957]

CheckPoint is the reputable security firm who discovered and disclosed the Quadrooter vulnerability.

In this case, their app is okay for scanning. Sorta like when Zimperium released an app for determine Stagefright exposure (Zimperium was the security firm that found Stagefright).

Thank you. That seems to be over the heads of some know-it-alls here.

[anon(9607753)]

Yeah the Priv was overpriced, despite using lower grade Samsung components, shoddy build quality, look man you made a mistake, don't be mad.

Over-priced? Maybe for some; particularly those with no appreciation for creative design and value added features. If BlackBerry hadn't invested the time and money to clean up Android and put diapers on it, I wouldn't have touched Priv or any other Android device. BlackBerry's enhancements to the Android experience make it useable. But just barely.

Now run along and be a good Android fanboy...

Posted via BlackBerry Priv STV100-1

[anon(9742832)]

The more accurate question is which part is not false information.

First, its a software problem.. "so the whole software can't secure hardware bugs" is false.. Its indeed fixed through a software update because its a problem in the software drivers.. rendering the whole point of the thread useless.

Second, the fact that Samsung phones are not affected is false too, they use Qualcomm alongside their chips and the S7 is affected.

Third point.. he argues phones assembled or produced in china can't be secure.. That's just funny.. Doesn't matter where you assemble or produce them.. Qualcomm is american yet the vulnerability is coming from them.. So it has NOTHING to do with China..

To be truthful its not even a software issue, but a hardware and driver issue. This is becoming very common with sloppy drivers and pushed out products. The real issue is all the other products affected and not even mentioned. Such as smart door locks, and thermostats to name a few.

[Sairos]

To be truthful its not even a software issue, but a hardware and driver issue. This is becoming very common with sloppy drivers and pushed out products. The real issue is all the other products affected and not even mentioned. Such as smart door locks, and thermostats to name a few.

Software drivers = Software.. Fixed through a software update = Software.

I don't know about door locks or thermostats using Qualcomm gear.. So I've no info regarding that.. Someone can always enlighten us though.