Once again, it's Android security scare season. This morning news broke of the latest collection of vulnerabilities, discovered by security firm Check Point and grouped together under the catchy monicker "QuadRooter." As usual, most of the reporting has focused on worst-case scenarios and a shockingly huge number of potentially vulnerable devices — in this case, an estimated 900 million. We're going to break down exactly what's going on, and just how vulnerable you're likely to be. Read on.

1. It's a Qualcomm thing Check Point specifically targeted Qualcomm due to its dominant position in the Android ecosystem. Because so many Android phones use Qualcomm hardware, the drivers Qualcomm contributes to the software on these phones make for an attractive target — a single set of vulnerabilities affecting a large proportion of the Android user base. (Specifically, the bugs affect networking, graphics and memory allocation code.)

Qualcomm's drivers are a big, attractive target.

All four of the exploits that make up QuadRooter affect Qualcomm drivers, so if you have a phone that uses no Qualcomm hardware at all — for example, a Galaxy S6 or Note 5 (which uses Samsung's own Exynos processor and Shannon modem), you're not affected by this. Verizon is offering the Pixel 4a for just $10/mo on new Unlimited lines 2. It's serious, but there's no evidence of it being used in the wild As the name suggests, QuadRoot is a collection of four exploits in Qualcomm's code which could allow a malicious app to gain root privileges — i.e. access to do basically anything on your phone. From there, you can dream up any number of nightmare scenarios: attackers listening in on phone calls, spying through your camera, pilfering financial details or locking down your data with ransomware. No-one's talking about these exploits being used in the wild yet, which is a good thing. (Check Point estimates that the bad guys will have it packaged into functioning malware within three or four months.) However given the challenges involved in updating the software on the billion-plus Android devices out there, malware creators will have plenty of time to figure out a practical application. But... 3. Chances are you're not actually "vulnerable"

QuadRooter is one of the many Android security issues that requires you to manually install an app. That means manually going into Security settings and toggling the "Unknown Sources" checkbox. Any vuln which requires you to manually install an app runs into two major roadblocks: The Play Store, and Android's built-in "Verify Apps" feature. Given that Check Point first disclosed the vulnerabilities back in April, Google has almost certainly been scanning Play Store apps for these exploits for quite some time. That means you'll be fine if, like most people, you only download apps from the Play Store. And even if you don't, Android's "Verify Apps" feature is designed to act as an additional layer of protection, scanning apps from third-party sources for known malware before you install. This feature is enabled by default in all Android versions since 2012's 4.2 Jelly Bean, and because it's part of Google Play Services, it's always updating. As of the most recent stats available, more than 90 percent of active Android devices are running version 4.2 or later. We don't have explicit confirmation from Google that "Verify Apps" is scanning for QuadRooter, but given that Google was informed months ago, chances are it is. And if it is, Android will identify any QuadRooter-harboring app as harmful and show a big scary warning screen before letting you get anywhere near installing it. In that case, are you still "vulnerable?" Well technically. You could conceivably go to Security settings, enable Unknown Sources, then ignore the full-screen warning that you're about to install malware and disable yet another security setting elsewhere. But at that point, to a large extent, it's on you. 4. Android security is hard, even with monthly patches One interesting aspect of the QuadRooter saga is what it shows us about the Android security challenges that still remain, even in a world of monthly security patches. Three of the four vulnerabilities are fixed in the latest August 2016 patches, but one has apparently slipped through the cracks and won't be fixed until the September patch. That's cause for legitimate concern given that disclosure happened back in April. However, a Qualcomm rep told ZDNet that the chipmaker had been issuing patches of its own to manufacturers between April and July, so it's possible certain models may have been updated outside of the Google patching mechanism. This only underscores the confusion involved with having an explicit patch level from Google, while device manufacturers and component makers are also providing security fixes.