More than 1 billion Android devices with a Qualcomm signed SoC are vulnerable to hackers thanks to the ability to exploit the more than 400 vulnerabilities in their Snapdragon mobile processors.
The vulnerabilities are very serious, as they can be exploited when a target downloads video or other content that is processed by the chip. Targets can also be attacked by installing malicious applications that do not require any kind of permission.
From there, attackers can monitor locations and listen to real-time audio and exfiltrate photos and videos. The exploits also make it possible for the phone to become unresponsive at all. Infections can be hidden from the operating system in a way that makes disinfection difficult.
The vulnerability of the Snapdragon is in the DSP (Digital Signal Processor), which addresses the capabilities of upload, video, audio, augmented reality, and other multimedia functions. Phone manufacturers can also use DSPs to run dedicated applications that allow custom functions.
“While DSP chips offer a relatively inexpensive solution that enables mobile phones to offer end-users more functionality and enable innovative features, they come at a cost,” researchers from security firm Check Point wrote in a short report on the vulnerabilities they discovered.
“These chips introduce a new attack surface and weak points to these mobile devices. DSP chips are much more vulnerable to risks since they are managed as ‘Black Boxes’, as it can be very complex for anyone other than their manufacturer review its design, functionality or code. “
Qualcomm has released a mitigation for the vulnerability, but so far it has not been incorporated into the Android operating system or any Android device that uses Snapdragon, Check Point said. Because of this, researchers are hiding technical details about vulnerabilities and how they can be exploited until fixes reach end-user devices. Check Point has called the vulnerabilities “Achilles”. The 400+ bugs are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209.
“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we have worked diligently to validate the issue and make appropriate mitigations available to smartphone manufacturers. We have no evidence that it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install apps from trusted places like the Google Play Store, “said Qualcomm.
Check Point said that the Snapdragon SoC is included in about 40 percent of phones worldwide. With an estimated 3 billion Android devices, that equates to more than 1 billion phones. In the US market, Snapdragon is present in around 90 percent of devices.