- A vulnerability has been discovered in Qualcomm's Snapdragon chipsets.
- It may leave more than 40 per cent of global Android phones at risk.
- Qualcomm has said it is working on a fix but till then you can do only so much about it.
A vulnerability in Qualcomm Snapdragon chip may have put over 40 per cent of global Android devices at risk. According to a new report, the vulnerability has been found in Snapdragon's digital signal processor, also called DSP, which could make it prone to exploits. A malicious actor could target the vulnerability to install spyware that will masquerade as a benign application on the smartphones powered by Qualcomm's ubiquitous chipsets. Smartphones from major companies, such as Samsung, Google, LG, Xiaomi, and OnePlus, are powered by Qualcomm Snapdragon chipsets.
Security researches at Check Point discovered the vulnerability in the chips, in addition to mentioning the purposes, it could be used to target more than 40 per cent of Android devices currently active worldwide. According to Google, there were over 2.5 billion active Android devices as of April last year. Which makes the current situation even direr, given it is almost a year since that announcement. Qualcomm's Snapdragon vulnerability could open various streams for hackers and put a plethora of Android smartphones at the risk of spying, data theft, and bricking, according to Check Point.
The report explains hacker would need the user of these devices to install a small, benign application which will gain access to most confidential data on the device, such as phone calls, contacts, photos, location, and real-time microphone data. This set of data could be used for spying on users, possibly ending in a big-level money extortion scams. The data stored on these devices could also be siphoned off without user's knowledge, in a manner that is surreptitious at best. And finally, hackers could pester the smartphone with services, which users are likely to deny and ultimately lose access to the devices in the process called bricking.
Qualcomm has acknowledged the vulnerabilities and assigned them CVE numbers, as well. It has also notified vendors, such as Samsung, Google, and more, about the vulnerability and begun to work on patches. But the way Android updates are pushed to devices, thanks to the lack of a single channel, it might take more time for vendors to finally issue the patch than hackers would take to exploit the vulnerability. "Although Qualcomm has fixed the issue, it's sadly not the end of the story," said Yaniv Balmas, head of cyber research at Check Point. "If such vulnerabilities are found and used by malicious actors, there will be tens of millions of mobile phone users with almost no way to protect themselves for a very long time," he added.
Since the vulnerability is centred in the chipset's DSP, which is managed as "black boxes" by Qualcomm, it could be difficult for vendors or companies other than Qualcomm to understand the complexity, review the design, and work on the fix. A botched-up attempt could only exacerbate the issue, making the DSP more vulnerable to potential risks.
On the other hand, a Qualcomm spokesperson has told Forbes, "Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Computer DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store."
Qualcomm's statement does not specify how much it is going to take to release the patch, which only deepens the worry of a major fraction of the world's total Android device users. For now, the only solution is to refrain from visiting potentially risky websites, downloading unidentified and strange content, and wait for the fix to be out.