“Researchers have found that Qualcomm’s Snapdragon chip, one of the most widely used in Android phones, has hundreds of bits of vulnerable code that leaves millions of Android users at risk,” reports Gizmodo:
To back up a bit, Qualcomm is a major chip supplier to several well-known tech companies. In 2019, its Snapdragon series of processors could be found on nearly 40% of all Android smartphones, including high-profile flagship phones from Google, Samsung, Xiaomi, LG, and OnePlus. Researchers from Check Point, a cybersecurity firm, found the digital signal processor (DSP) in Qualcomm Snapdragon chips had over 400 pieces of vulnerable code. The vulnerabilities, altogether dubbed “Achilles,” can impact phones in three major ways.
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures. Once that’s done, an attacker could turn the affected phone into a spying tool. They’d be able to access a phone’s photos, videos, GPS, and location data. Hackers could potentially also record calls and turn on the phone’s microphones without the owner ever knowing. Alternatively, an attacker could choose to render the smartphone completely unusable by locking all the data stored on it in what researchers described as a “targeted denial-of-service attack.” Lastly, bad actors could also exploit the vulnerabilities to hide malware in a way that would be unknown to the victim, and unremovable.
Part of why so many vulnerabilities were found is that the DSP is a sort of “black box.” It’s difficult for anyone other than the manufacturer of the DSP to review what makes them work…
The article notes that Qualcomm has no evidence of the vulnerability being exploited in the wild, adding that the company has “reportedly since fixed the issue.”
But they also note that it’s still up to individual phone makers to push out the relavant security paches, “which could take some time.”
of this story at Slashdot.
Source:: Slashdot