Security software company Check Point detailed vulnerabilities affecting 900 million smartphones and tablets powered by Qualcomm chips, although subsequent comments from the chipmaker and Google tempered the threat somewhat.

According to Check Point, which dubbed the issues QuadRooter, any one of the four weaknesses could enable an attacker to gain root access to a device. The exploit needs a malicious app, although this would require no special permissions to take advantage of the vulnerabilities in the software drivers which ship with Qualcomm chips, “alleviating any suspicion users may have when installing”.

Google noted that various protections in its app store “help identify, block and remove applications that exploit vulnerabilities like these”, Android Central said. Owners of devices running Android 4.2 onward would therefore not be able to install them without manually overriding security features.

Three QuadRooter vulnerabilities have been addressed in an Android update already, with the fourth to follow shortly.

Qualcomm, meanwhile, said: “We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.”

But Check Point noted that since the vulnerable drivers are installed on devices at the point of manufacture, “they can only be fixed by installing a patch from the distributor or carrier”. And with the Android update model somewhat patchy at best, “this situation highlights the inherent risks in the Android security model”.

“Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data,” the security firm said.