Android phones may be vulnerable to security flaw in Qualcomm chip
Patched on Qualcomm’s end, the flaw could allow attackers to access your call history and text messages and eavesdrop on your phone conversations, says Check Point Research.
Android phone users may be susceptible to a security vulnerability that could compromise their devices. In a research report published Thursday, cyber threat intelligence provider Check Point Research revealed certain details on a flaw it identified in 2020 in Qualcomm mobile station modem (MSM) chips, including ones used in 5G devices.
SEE: Top Android security tips (free PDF) (TechRepublic)
Savvy hackers who exploit the flaw could inject malicious code into the MSM, giving them access to the device’s call history and SMS text messages. An attacker would also be able to listen to the user’s phone conversations and potentially unlock the phone’s SIM to dig up even more information.
On the plus side, Check Point said that it informed Qualcomm about the vulnerability last October, prompting the chip maker to patch the hole on its end via CVE-2020-11292. However, mobile phone makers must apply the patch and roll out the fix to users, which means that any device not yet updated would still be vulnerable.
“The patch isn’t automatic,” Check Point spokesperson Ekram Ahmed told TechRepublic. “The mobile vendors themselves must apply the fix. Qualcomm says it has notified all Android vendors, and we spoke to a few of them ourselves. We do not know who patched or not. From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat.”
Qualcomm confirmed that the fix was provided to device makers last December and that many have already rolled out the necessary updates to users. Further, the vulnerability and the fix will be included in the next Android security bulletin due out in June.
Responsible for cellular communications, high definition recording and other features, the MSM is outfitted in 40% of phones around the world and in the majority of Android devices, such as ones from Google, Samsung, LG, Xiaomi and OnePlus. The discovered flaw could be exploited through the Qualcomm MSM Interface (QMI), a protocol that fosters communication between software in the MSM and device peripherals such as cameras and fingerprint scanners, Check Point said.
However, Qualcomm said that it found no proof of the flaw being exploited in the wild, noting that it was rated high and not critical. To take advantage of this security hole, an attacker would also need to get past the existing Android security protections in the first place, the company added.
How to protect yourself
To defend yourself from any vulnerabilities discovered in mobile devices, Check Point shared a few tips in a blog post about the issue:
- Always make sure your mobile phone has been updated with the latest version of the operating system or any new security patches. This helps protect your device against any flaws that have been exploited.
- Download apps only from official app stores. This decreases the likelihood of downloading and installing mobile malware.
- Enable the “remote wipe” capability available on mobile devices. Such a feature allows you to remotely erase a lost or stolen phone to prevent the wrong person from accessing any sensitive data.
- Finally, install a security product on your mobile device.