A new Qualcomm chip bug can potentially affect 30 percent of all Android phones around the world, according to some security researchers. With the vulnerability in the 5G modem data service found, hackers can remotely target Android users, inject malicious code in a phone’s modem, and gain the ability to execute code.
Hackers Could Gain the Ability to Execute Code, Access Call Histories, Messages, and Eavesdrop on Calls
According to Check Point Research, the bug (CVE-2020-11292) exists in the Qualcomm Mobile Station Modem (MSM) Interface, also known as QMI. MSM are SoCs developed by Qualcomm, while QMI is a proprietary protocol that allows a modem’s software components and other subsystems to communicate with each other. Since MSMs have been used in the 2G era, the bug's impact could be devastating.
QMI is used in around 30 percent of the world’s smartphones, and hackers can attack the device remotely using a trojanized Android application. Given below is a brief explanation from a Check Point Research spokesperson on how smartphones can be attacked remotely.
“The vector involves a target installing a malicious application. Assuming a malicious application is running on the phone, it can use this vulnerability to ‘hide’ itself within the modem chip, making it invisible in terms of all security measures on phones today.”
Threatpost reports that additional details were not shared as it could allow the hackers to exploit all those devices. He instead said that the security researchers attempted to attack the chip from within the phone itself, and in the act, the researchers stumbled onto something interesting. It appears that the vulnerability can ‘unlock’ a phone that is carrier locked by playing around with the modem.
Threatpost also mentions that Qualcomm is well aware of the problem and has issued a fix, though patches will be slow to roll out. This is because vendors like Samsung, Xiaomi, OnePlus, and others will have to apply the fix for its customers themselves through a routine security update, meaning this could take much longer than expected.
“Qualcomm says it has notified all Android vendors, and we spoke to a few of them ourselves. We do not know who patched or not. From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat.”
Android phone makers have been punctual with timely security updates, but if you happen to own a model that is no longer receiving updates simply because it is too old, you might be out of luck. If you value your privacy, we highly recommend picking up a new smartphone.
News Source: Check Point Research