QuadRooter is a set of four new Android vulnerabilities that affect devices with a Qualcomm chipset. The first generation Fire TV running the latest software version, 22.214.171.124 (Build 550145120), is vulnerable. Running the QuadRooter Scanner app on the Fire TV 1 reveals all four vulnerabilities are present, as shown in the screenshot above. The Fire TV 2 and Fire TV Stick do not have Qualcomm chips, so they are not vulnerable to this new exploit.
QuadRooter is a privilege escalation vulnerability, which means it can be used to gain root access to a device. The Fire TV 1 running software version 126.96.36.199 and 188.8.131.52 is not currently rootable. Those of you with an unrootable Fire TV 1, who want to root your device, may want to block software updates to see if a new rooting method, that takes advantage of these new vulnerabilities, is developed in the next few weeks.
Qualcomm and Google have known about the QuadRooter vulnerabilities for several months, but their presence has only been made public a couple days ago. Google has already patched 3 of the 4 vulnerabilities in their August security update, with the fourth patch scheduled to arrive in September. Amazon incorporates Google’s patches into Fire OS, so this means it’s very likely the next Fire TV 1 software update will patch the QuadRooter vulnerabilities, closing any possible rooting methods that may come from them in the process.
Those of you who don’t care about rooting and just want to keep your Fire TV 1 safe and secure don’t need to worry too much. You have to manually sideload an infected app to be affected, so if you’re not sideloading any apps onto your device and only installing apps from the official Fire TV appstore, you should be safe because, presumably, Amazon is vetting official apps. Your device is only at risk if you’re sideloading apps from untrusted sources. If you sideload apps onto your Fire TV, you should always download APKs directly from the app developer’s original location, and not from some random source you find online.