Four major Android vulnerabilities dubbed QuadRooter that affect 900 million devices have been uncovered by security firm Check Point.
A range of popular devices are at risk, including the Samsung Galaxy S7 and S7 Edge, Sony Xperia Z Ultra, Google Nexus 5X, 6 and 6P, HTC One M9 and HTC 10, and even the security-focused BlackBerry Priv and Blackphone 1 and 2.
Check Point explained in a blog post that the flaws are in the software used to manage the Qualcomm chips included in the vast majority of Android devices.
"QuadRooter is a set of four vulnerabilities affecting Android devices that are built on chipsets from Qualcomm, a supplier of 80 per cent of the chipsets in the Android ecosystem," said Check Point in a blog post.
"If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device, enabling them to change or remove system-level files, delete or add apps and access the device's screen, camera or microphone.
"The vulnerabilities are found in the software drivers Qualcomm ships with its chipsets. An attacker can exploit these vulnerabilities using a malicious app to trigger privilege escalations and gain root access to a device.
"This app would require no special permissions to take advantage of the vulnerabilities, which means they would not make users suspicious."
Defcon has a summary of a talk about QuadRooter by Adam Donenfeld, a senior security researcher at Check Point, who said that Android remains a problem security-wise, despite Google's best attempts.
"Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe," said the summary.
"With this in mind, we decided to examine Qualcomm's code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems."
Just spent a year working on them? Too bad, Intel's lost interest
Sony factory in Wales now making 100,000 Raspberry Pis every week
38-year-old Alexander Vinnik faces up to 55 years in jail
Threadripper also available from today if you want a lot more power - but you'll have to wait for the motherboards to appear