1 Billion Android Devices At Data Theft Risk Due to Snapdragon Chip Flaw
Researchers have discovered more than 400 vulnerabilities in Qualcomm’s Snapdragon chips which affect more than 1 billion Android devices. The flaws can be exploited to install malicious apps on target devices without user permissions, which can be used to steal user data, track user location or listen in to their surroundings.
The exploits directly impact the digital signal processing function of Snapdragon processors, which is used to process video, audio, augmented reality, and other multimedia functionality. It is also used to control quick charge features. The vulnerabilities allow attackers to hide malicious code from the operating system, which makes it unremovable. Attackers can also leave the Android device unresponsive, which makes it difficult to use it to make any changes and resolve the issue.
Qualcomm has been notified of these vulnerabilities, dubbed Achilles by Check Point, and the following CVEs are assigned to these bugs to track them: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Check Point Research has not published the full technical details of these vulnerabilities publicly, including details of which specific processors are affected by these bugs.
For its part, Qualcomm has released a fix but as of writing, it has not been shipped to any Android device as a software update, or rolled out as part of Android’s code base as a patch. Google and Qualcomm have not shared any plans on when the patches will be released to the general public. Considering the number of devices that are impacted by these bugs, it will not be easy for the patches to reach all devices easily.
In a statement shared with Ars Technica, Qualcomm said that there is no evidence of the vulnerabilities being exploited in the wild yet. However, the company advises that users only install apps from trusted locations such as the Google Play Store.
“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”
However, it is important to note that Google Play Store does not really guarantee that the apps that are available on it can be trusted, as we have seen many times in the past when the Play Store has been used to distribute malicious apps to millions of users.
We will keep you updated once Google and OEMs share plans to roll-out the patches for these bugs.