Cyber security solutions expert Check Point has found several security vulnerabilities in Qualcomm's Snapdragon chipsets that power a majority of Android devices globally. Apparently the issue lies in the Digital Signal Processor (DSP) chips that are used for audio signal and digital image processing. This flaw lets a hacker snoop into devices as well as deploy unremovable malware which is also capable of evading detection.
These vulnerable chips are on almost every Android phone around the globe from manufacturers like Samsung, Xiaomi, OnePlus, Google and more. Check Point also suggests that this vulnerability allows an attacker to turn the phone into a spying tool, without any user interaction required. Thus allowing hackers to quietly extract information like photos, videos, call-recording, real-time microphone data, GPS and location data, etc.
Hackers also gain the ability to render the mobile phone constantly unresponsive making all the information stored on this phone permanently unavailable which is simply a targeted denial-of-service attack. On top of that, this chipset flaw also allows attackers to use malware and other malicious code to completely hide their activities and become unremovable.
Notably, Qualcomm has patched the six identified security flaws however, the fix isn’t that simple. The only way the security patches can reach devices is through mobile vendors who need to implement and deploy them to their users. Until and unless the security fix reaches your device, you could very well be vulnerable to these attacks. “We decided to publish this blog to raise awareness to these issues. We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer. The full research details were revealed to these stakeholders," Check Point explained in a research report.
Update: Qualcomm has shared a statement with News18 on the detected vulnerabilities and insist that there is no evidence any of these have been exploited. They also urge users to update their smartphones when patches are released. “Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store," says a Qualcomm spokesperson.