This Qualcomm-Based Android Bug Is Squashed, After Threatening Hundreds Of Millions Of Users

Bug squashing

Android, is one of the most popular mobile operating system that power most smartphones on the planet.

That happens for many reasons: Android that is backed by Google, allows manufacturers to use it as they wish. The operating system is flexible and versatile, powerful and very capable. But unfortunately for Android, the operating system is also riddled with flaws.

Previously, Android apps were found to be capable of stealing data from other apps on the same device. And not to mention, the numerous malware-ridden apps that were even found on Android's official app stores.

And if those aren't threatening enough, researchers from Check Point found that a deep-rooted flaw in Qualcomm chips is threatening hundreds of millions of Android phones out there.

The security firm said that hackers could use the flaw that reside on Qualcomm-powered Android devices to read text messages, listen to phone conversations and in some cases, even unlocking the SIM card.

Related: 400 Qualcomm Snapdragon Bugs Leave Almost Half Of All Android Devices Vulnerable

According to the researchers on their blog post, the bug lies in Qualcomm's Mobile Station Modem, or also called the MSM.

MSM, which has been around since the 1990s, is a cellular modem that is essentially a series of system on chips embedded in mobile devices, that can also include a 5G MSM.

Android has the ability to communicate with the MSM chip’s processor through the Qualcomm MSM Interface (QMI), a proprietary protocol that enables communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners.

Check Point Research said that exploiting the MSM's modem data service could allow hackers to inject malicious code into QMI, infecting the Android operating system.

This in turn will give hackers the access to users' call history, SMS, as well as granting the hackers to listen to conversations made on the device. Hackers can also exploit the bug to unlock the SIM.

MSM is an integral component inside Android devices. And this is why MSM has always been and will continue to be a popular target for security research and for cybercriminals.

And this time, the MSM bug, according to Check Point's estimates, affects "nearly 40% of the world’s phones", including popular models made by Samsung, Google, Xiaomi, LG, OnePlus, Asus, Sony, ZTE and more.

Qualcomm Snapdragon

Fortunately, Apple devices or Android phones that use chipsets made by other manufacturers are not affected by this flaw.

Check Point said that there have been no reports of hackers exploiting this flaw in the wild.

This make sense because Qualcomm's modems are known to be pretty hard to successfully attack from the network side.

What's more, Qualcomm that quickly acknowledged the bug, has released a fix, and assigned the catalog CVE-2020-11292 for this flaw.

"Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available," a Qualcomm representative said.

The Qualcomm representative also added that Check Point's attack scenario seems to be kind of pointless.

According to the argument, the bug could only be exploited if the hackers could first breach Android's security. And if this happens, the hackers would already have the same kind of information about texts and calls that could be gleaned from breaking into the MSM modem afterward.

But whatever is the case, users have no option other than waiting for the update to arrive to their phone.

Published: 
07/05/2021