External Threat Management

Faux QuadRooter Android Fix: Capitalizing on Fear

At DEF CON, details were disclosed about a set of four vulnerabilities affecting more than 900 million Android smartphones and tablets that use Qualcomm® chipsets—including the newer S7 and S7 Edge. This dangerous new set of vulnerabilities has been dubbed "QuadRooter".

If cybercriminals choose to exploit any of these four vulnerabilities, they may gain access to smartphones and tablets, meaning QuadRooter allows them to trigger privilege escalations for the purpose of gaining root access to a device. Scary stuff.

The good news: a response came swiftly—according to the Tech Times, Qualcomm released patches to fix the issues, with three of them already appearing in Google's August security update (the fourth is scheduled for the September edition). On top of that, Checkpoint released QuadRooter Scanner to the GooglePlay store on August 7th, and there are already other remedies in the Google Play app store.

The bad news: QuadRooter might be almost completely neutralized, but its nefarious spirit lives on. Cyber threat actors are exploiting the fear and paranoia generated by QuadRooter's looming presence. It was reported that neither of the two apps named “Fix Patch QuadRooter” by KiwiApps Ltd. actually patched the Android system. These apps were removed from the Google Play store but were discovered in other app stores around the world along with “pop-up” QuadRooter apps from KiwiApps and other developers.

What do these faux fixes look like?

As mentioned above, KiwiApps Ltd. published two versions of their app, a Pro and Free version, to Google Play. Copies of these apps (APKs) popped up in the Hybrid App Store “SameAPK”. As of this post, the Pro version cannot be downloaded, but the APK for the “Free” version was downloaded successfully.

To date, RiskIQ has detected 27 instances of QuadRooter “Scanners”, “Checkers”, and “Fixers”.


Here's the breakdown by app store:

  • Google Play Store: 6
  • BingAPK: 5
  • SameAPK: 5
  • AppBrain: 4
  • AppChina (u5e94u7528u6c47): 4
  • D.cn (u5f53u4e50): 1
  • PConline (u592au5e73u6d77u7535u8111u7f51): 1
  • Ruan8 (u8f6fu5427): 1
  • Tencent MyApp (u5e94u7528u5b9du5b98u7f51): 1
  • Wandoujia (u8c4cu8c46u835a): 1


Interestingly, of all the instances of this type of app discovered by RiskIQ, one stands out more than the others, as it has a naked IP (located in China) in the list of URLs with which the app communicates. As of this post, the app—developed by TrustLook Inc.—is still live in the Google Play store:

Screen Shot 2016-08-19 at 1.37.56 PM

Stay safe out there

Most organizations will have a substantial number of employees and customers using vulnerable phones that are actively targeted by adversaries. To protect yourself, make sure you blacklist these apps, so employees do not download them. Solutions like RiskIQ discover fraudulent apps based on keywords in app titles and throughout the apps themselves—the description, the developer name, and the app code. Our logo detection can also identify mobile apps using fraudulent logos.

And for customers and employees who bring their own devices? For now, all we can do is educate them with info like this blog post.

Questions? Feedback? Email research-feedback@riskiq.net to contact our research team.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor