BlackBerry has released a security advisory that addresses an industry-wide local elevation of privilege vulnerability (“ASHmenian Devilâ€Â) that has been discovered in BlackBerry Android smartphones.
BlackBerry states the the company is not aware of any exploitation of this vulnerability and that customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction.
Successful exploitation requires an attacker craft a malicious application (app) and that a user install the malicious app. If the requirements are met for exploitation, an attacker could potentially gain non-persistent locally elevated privileges.
The vulnerability known as “ASHmenian Devil” is one of four vulnerabilities, collectively known as QuadRooter, that were disclosed at the DefCon 24 security conference. Three of the four QuadRooter vulnerabilities were fixed at, or before, the August 5, 2016 Android security patch level on the BlackBerry PRIV. The same vulnerabilities are fixed in all software versions on BlackBerry DTEK50.
Both BlackBerry Android smartphones running builds earlier than AAG111 are affected by this exploit and users should update to build AAG111 and later. This software version is available immediately for affected BlackBerry smartphones that have been purchased from ShopBlackBerry.com.
To install the patch, simply navigate to Settings -> About phone -> System updates on your BlackBerry Android device.
After installing the recommended software update, affected customers will be fully protected from this vulnerability.
BlackBerry are the first major OEM to patch all of the QuadRooter issues on both their Android smartphones.
If your BlackBerry PRIV or DTEK50 smartphone was purchased from a source other than ShopBlackBerry.com, you should contact that retailer or carrier directly for availability information.
