Android Central has a more more reasonable (less fear-mongering) write-up on the threat
actually posed by QuadRooter.
Threats like these tend to be initially reported by a company that stands to gain by doing so (nearly always a "security" company no one has ever heard of, but
be sure to install our app to make sure you're protected!), and then the media runs amok because (a) omg that sounds scary and (b) independent research and understanding is just
hard.
In reality, the number of "vulnerable" phones is not 900 million, as the vulnerability (like many others) requires a malicious APK to be installed from outside the Play Store.
Google was also made aware of the vulnerabilities months ago, so you can bet your butt that they've updated their malware scanners (both Bouncer for the Play Store and the Verify Apps feature mandatory on Android phones since Jellybean) accordingly.
So actually being affected by this scary-sounding exploit would require an unwitting user to:
- have a device with a Qualcomm SoC (they're popular, sure, but far from the only game in town), and
- enable the "Unknown Sources" option buried in their phone's security settings, and
- accidentally download an infected APK (likely from a site offering pirated apps and games), and
- attempt to install said infected APK, which would most likely result in a scary warning from the Verify Apps feature letting you know that dragons be ahead and you really shouldn't do the thing you're trying to do, and
- install it anyway.
Keep in mind that Google's malware detection/protection systems can be updated effectively in real-time thanks to the Google Play Services framework - with that,
you can be protected from threats like these even without requiring the specific vulnerabilities to be patched.
So sure, be careful about what apps you install and from where, but that's just common sense. There's no need to panic just because another security vendor got their exploit with a catchy name published in the news.
