×

A new flaw puts nearly a billion phones at risk and shows Android security is still a patchwork mess

There are still too many cooks stirring the pot.

Another big security flaw in Android highlights just how messed up the Google ecosystem still is when it comes to security.

This one, known as Quadrooter, was disclosed in recent days by security software maker Check Point. Quadrooter affects a whole host of top-end Android devices running one of Qualcomm's Snapdragon chips.

That means hundreds of millions or even a billion devices could be at risk, including top-end models such as the Samsung Galaxy S7, HTC 10 and LG G5 and even Google's latest Nexus devices and security-focused devices like BlackBerry's Priv and Silent Circle's Blackphone.

More from Recode:
Google keeps buying cloud companies to take on Amazon's AWS
Online Olympic video streaming is big, but not as big as eSports
Walmart was the only bidder in $3 billion Jet.com acquisition

The problem is there are still so many hands in the pot when it comes to updating Android. Google updates its software, but device makers have to tailor it for their phones — and sometimes they get their software not from Google, but from chipmakers like Qualcomm. And then sometimes mobile carriers want to do their own testing to make sure they aren't inadvertently introducing other problems onto their network.

Adrian Ludwig, Google's Android Security Chief
Mary Catherine Wellons | CNBC
Adrian Ludwig, Google's Android Security Chief

All that means the time from when a flaw is identified or disclosed to when it is fixed is longer than it should be, sometimes leaving hundreds of millions of phones vulnerable for weeks or months.

"The problem continues to be that Android security updates are really hard because of [their] fragmented ecosystem," said Check Point mobile security evangelist Jeff Zacuto told Recode.

In this case, the flaw affected such a broad swath of phones because it was an issue at the chip level — and Qualcomm chips power roughly two-thirds of Android phones.

It's worth noting that as bad as things are, they used to be worse.

Google didn't always have monthly security patches, carriers used to be much stingier with allowing quick security updates and device makers did a lot more customizations to Android that further complicated the process.

Qualcomm, for its part, said it was notified between February and April about the various vulnerabilities and made patches available between April and July.

But unlike when Apple releases a security update for the iPhone, that's only one step in the process. Once Qualcomm or Google releases a fix, each handset maker has to tweak it for their phone and then make the update available to customers. In the U.S., updates also sometimes go through the cellphone carrier as well.

Google, meanwhile, says three of the four flaws tied to Quadrooter were patched in an August security update, while the fourth is set to be fixed soon. It also notes that while this is a high-risk flaw, it still requires a user to download a malicious app in order to be affected.

That means those most at risk are people who get apps from places other than the Google Play store, although Zacuto noted that even sticking to official app stores isn't a guarantee of safety.

"They do a great job catching malicious apps, but they don't catch 100 percent," he said.

Despite the lengthy process, Google and Qualcomm say things are improving, with flaws being fixed sooner and more devices getting updates.

"There is an overwhelming consensus that things are getting better, that we are moving things in the right direction," Qualcomm engineering VP Alex Gantman told Recode.

By Ina Fried, Recode.net.

CNBC's parent NBCUniversal is an investor in Recode's parent Vox, and the companies have a content-sharing arrangement.