Latest Android patches fix critical ‘QualPwn’ Wi-Fi flaws

In theory, all Android monthly security patches are of equal importance. But sometimes some end up being more equal than others.

A good example is the August 2019 security bulletin, which features a modest 26 CVE-level flaws, made up of 5 marked critical, and 20 rated high priority.

That’s a considerably lighter patch load than recent months. However, closer study reveals that two of the critical flaws could allow an attacker to compromise the Android system kernel over the air (OTA) via numerous System-on-a-Chip (SoC) WLAN interfaces from Qualcomm, including those on the popular 835 and 845 parts.

‘QualPwn’

Normally, Android users are offered the patch and little else by way of explanation. This month, however, the company that discovered the issues, Tencent’s Blade Team, has decided to publicise them under the name ‘QualPwn’.

The two important ones are identified as CVE-2019-10539 and CVE-2019-10540. The first of these could in some circumstances allow an attacker to “compromise the WLAN and Modem over-the-air,” while the second allowed a kernel compromise over the same interface.

These are dangerous because they could be exploited by sending vulnerable devices a specially crafted file without the need for user interaction.

A third flaw, CVE-2019-10538, is rated as less severe but could also make possible a kernel compromise.

The mitigating factor is that the attacker would need to carry out an attack via the same Wi-Fi network as the target which is to say they can’t be exploited remotely on the internet.

Tencent said it had discovered the issues in March 2019, and Google told vendors in early June 2019.

Who is affected?

Devices running a Qualcomm SoC account for a large percentage of higher-end devices over the last couple of years, including the 845 Samsung’s Galaxy S9, Google’s Pixel 3 line, plus models from OnePlus, Xiaomi, LG, Asus, and Sony, and several others (older but equivalent models for the same vendors, for example the Google Pixel 2, will probably be running the 835).

However, while Tencent said it hadn’t tested all Qualcomm SoCs, Qualcomm itself has since issued an advisory that lists numerous SoC parts that appear to cover a large part of the market.

Tencent said it wouldn’t disclose details of the critical flaws until:

We’re informed that the flaws are fixed and consumers have time to install security updates on their devices.

Confusingly, Tencent also says it plans to reveal more about the flaws in a Black Hat presentation this week, followed by something similar at next week’s Paris DEF CON 27.

Because non-Google Android devices can take months to receive released fixes, you could be waiting a while for this update to roll out to you, unless any exploits are noticed in the meantime (which, so far, none have).

Checking for updates

Depending on the version of Android, a device’s patch level (2019-07-01 or 2019-07-05) can be determined in Settings > About phone > Android security patch level. 

For Android 9 it’s Settings > System > Advanced > System updates.

If you’re running a Google Pixel device, you should see that the last updates were applied in early July 2019. For other devices, it could be as far back as early 2019.